HTTP Security Headers Checker

Check 9 critical security headers and get a letter grade. CSP, HSTS, X-Frame-Options, Referrer-Policy, and more.

Checking headers for ...

Daily scan limit reached

Sign up free to get 10 scans/day — or upgrade for unlimited access.

Sign up free View pricing

Redirecting to report...

Frequently Asked Questions

What are HTTP security headers? +
HTTP security headers are response headers that instruct the browser to enable security features — preventing XSS (Content-Security-Policy), clickjacking (X-Frame-Options), MIME sniffing (X-Content-Type-Options), and downgrade attacks (Strict-Transport-Security).
What is Content-Security-Policy (CSP)? +
CSP is the most powerful security header. It controls which origins can load scripts, styles, images, and other resources. A properly configured CSP prevents most XSS and data injection attacks by blocking unauthorized scripts.
What grade should my website get? +
Aim for at least a B grade. An A+ requires all 9 security headers properly configured. The most critical are Content-Security-Policy and Strict-Transport-Security — start with those.
How do I add security headers to my site? +
Security headers are typically set in your web server config (Nginx add_header, Apache Header set), CDN settings (Cloudflare, AWS CloudFront), or application middleware (Django SecurityMiddleware, Express helmet).