HTTP Security Header Checker
Fetches a URL and grades the key security headers such as HSTS, CSP and X-Frame-Options.
What this HTTP security header checker does
This tool fetches the URL you enter (following redirects) and grades the response for the security headers that browsers act on. For each header it shows present / warning / missing plus a short fix. A high score means a smaller attack surface against XSS, clickjacking, protocol downgrade and MIME sniffing.
The headers we check
| Header | Protects against |
|---|---|
Strict-Transport-Security |
Protocol downgrade / SSL stripping |
Content-Security-Policy |
Cross-site scripting (XSS), data injection |
X-Content-Type-Options |
MIME-type sniffing |
X-Frame-Options |
Clickjacking |
Referrer-Policy |
Referrer URL leakage |
Permissions-Policy |
Abuse of camera/mic/geolocation APIs |
HSTS only has meaning over HTTPS, so on a plain-HTTP URL it is flagged as a warning rather than a failure. After fixing headers, recheck your certificate with the SSL checker. Deep dive: HTTP security headers explained.
Frequently asked questions
Does a perfect score mean my site is secure?
No. These headers are defense-in-depth hardening, not a substitute for secure code, patched software and good authentication. A high score reduces common browser-side attacks but does not audit your application logic.
Why is HSTS shown as a warning on my HTTP site?
Strict-Transport-Security is ignored by browsers when delivered over plain HTTP. Serve the site over HTTPS and set the header on the HTTPS response; only then does it take effect.
Should I set a strict Content-Security-Policy right away?
Roll it out carefully. Start in report-only mode, watch for legitimate resources being blocked, then enforce. An overly strict CSP can break inline scripts, analytics and ads.