Security Headers Checker

Check and grade security headers like HSTS, CSP and X-Frame-Options.

Security Headers Checker inspects six core HTTP security headers a site sends in its responses — HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. These headers let the browser defend against common web threats like man-in-the-middle attacks, clickjacking, MIME sniffing and information leakage, so checking which ones are present gives you a quick read on a site's baseline protection.

Just enter a URL and the server safely requests it, reads the response headers, and grades the site from A to F based on how many headers are present. It only reads headers — not the page body — so the check is fast and lightweight. Results are briefly cached for instant repeat checks.

URLe.g. example.com or https://example.com

What each security header does

Strict-Transport-Security (HSTS): forces future visits over HTTPS, blocking downgrade and man-in-the-middle attacks.
Content-Security-Policy (CSP): restricts which sources may load scripts, styles and images, reducing XSS and injection.
X-Frame-Options: prevents the page from being embedded in another site's frame, stopping clickjacking.
X-Content-Type-Options: with nosniff, stops the browser from guessing MIME types and mis-executing content.
Referrer-Policy: limits how much referrer information is sent to other sites, reducing leakage of data in URLs.
Permissions-Policy: explicitly restricts access to browser features like camera, microphone and geolocation.

How to read the score and grade

The score counts how many of the six headers are present (n/6) and assigns a grade from A to F by ratio. All headers present earns an A; half or fewer drops to D or below. Note that the tool checks presence only, so it does not guarantee the quality of a value — for example a too-permissive CSP or a short HSTS max-age. Review each header's actual value in the table to confirm it is configured as intended.

Re-checking after changes

Headers are added in your web server (nginx, Apache), application, or CDN configuration. After a change, caching or CDN propagation may briefly serve old responses, so checking a few minutes later is more reliable than right after deploying. If you are writing a CSP for the first time, assemble it with the CSP generator, and verify cookie security attributes with the cookie security check.

Frequently asked questions

Which page is checked?

We request the URL you enter and inspect the headers of the final response. If there are redirects, we follow them and read the final URL's headers, which the result also displays.

A header is set but shows as missing.

It may be set only on certain paths, or a CDN/cache may be serving an old response. Try again shortly or check the exact path's URL. This tool also caches results for about 90 seconds.

Does a low score mean the site is unsafe?

The score is a reference indicator of how many recommended headers are applied. A low score doesn't automatically mean a vulnerability, but it signals gaps in defenses against common attacks, so filling missing headers first is wise.

Is the URL I enter stored externally?

Your input is used only for the check and isn't stored separately. To prevent SSRF, the server blocks requests to unsafe targets such as internal networks and private IPs.

Related tools

Web Security →

CSP Generator

Build a Content-Security-Policy header for your site's resources.

SRI Hash Generator

Generate Subresource Integrity hashes for external JS/CSS.

Password Policy Generator

Generate a password policy and its rules for your service.

Cookie Security Check

Check Secure, HttpOnly and SameSite flags on response cookies.

security.txt Checker

Check for /.well-known/security.txt and its required fields.

Mixed Content Checker

Find insecure http resources loaded on an HTTPS page.