Most websites are missing critical security headers. A recent survey found that over 80% of websites on the internet fail to set a Content-Security-Policy header, and more than half have no Strict-Transport-Security configuration. These are not obscure technical details — they are the first line of defence against XSS attacks, clickjacking and protocol downgrade attacks.
The Anonymiz HTTP Security Headers Checker scans any website and grades its security headers from A to F in seconds. No signup, no install — just paste a URL and get a full analysis.
What Are HTTP Security Headers?
When a web server responds to a browser's request, it sends back a set of key-value pairs called response headers alongside the page content. Most headers handle technical details like caching and content type. Security headers are a subset that instruct the browser how to handle the page from a security perspective.
They are set by the web server or application — not the browser. The browser simply honours them. A site that does not set these headers is leaving the browser with no instructions, which means the browser falls back to permissive defaults that attackers can exploit.
The 7 Headers the Checker Grades
1. Content-Security-Policy (CSP)
The most important security header. CSP defines exactly which sources are allowed to load scripts, styles, images, fonts and other resources on your page. A properly configured CSP prevents cross-site scripting (XSS) attacks by blocking inline scripts and unauthorized external scripts from executing — even if an attacker manages to inject malicious code into your page.
Without CSP, any injected script runs freely. With a strict CSP, injected scripts are blocked by the browser before they can execute.
2. Strict-Transport-Security (HSTS)
HSTS tells browsers to always connect to your site via HTTPS — even if a user types http:// or clicks an old HTTP link. The max-age directive controls how long this instruction is cached. Without HSTS, attackers on the same network (coffee shop Wi-Fi, etc.) can intercept an initial HTTP connection and downgrade it before HTTPS kicks in.
3. X-Frame-Options (XFO)
Prevents your site from being loaded inside an iframe on another domain. Without this, attackers can embed your site invisibly inside their own page and trick users into clicking elements they cannot see — this is called clickjacking. Setting XFO to DENY or SAMEORIGIN closes this attack vector.
4. X-Content-Type-Options (XCTO)
A simple one-liner: X-Content-Type-Options: nosniff. This stops browsers from guessing the content type of a response when the server does not declare one clearly. Without it, browsers may interpret a plain text file as executable JavaScript — a MIME-type confusion attack that attackers can use to execute arbitrary code.
5. Referrer-Policy
Controls how much of your URL is included in the Referer header when users click links leaving your site. Without a policy, full URLs including query strings (which may contain session tokens or sensitive parameters) are sent to third-party sites. A value of strict-origin-when-cross-origin or no-referrer limits this exposure.
6. Permissions-Policy
Restricts which browser APIs embedded scripts and iframes can access — camera, microphone, geolocation, payment, and more. Without this header, any third-party script on your page (analytics, ads, widgets) could potentially request access to sensitive device features.
7. X-XSS-Protection
A legacy header for older browsers that enables their built-in XSS filter. Modern browsers have built-in protections that supersede this, but it is still worth setting for compatibility. The recommended value is 1; mode=block.
How the Grade Is Calculated
The checker assigns weights to each header based on the severity of its absence. CSP and HSTS carry the most weight since missing them creates the highest risk. The tool calculates a score from 0 to 100 and converts it to a letter grade:
- Grade A — All critical headers present and correctly configured. Excellent security posture.
- Grade B — Most headers set, minor gaps. Good but room for improvement.
- Grade C — Several important headers missing. Significant risk.
- Grade D — Most headers absent. Visitors are exposed to preventable attacks.
- Grade F — Almost no security headers. Common on shared hosting and WordPress sites with no security plugin.
How to Fix Missing Headers
Adding security headers depends on your server and stack:
- Apache — Add Header set directives to your .htaccess file
- Nginx — Add add_header directives to your server or location block
- Cloudflare — Use Transform Rules under Rules in your dashboard to add response headers without touching the server
- WordPress — Use a plugin like Solid Security or manually add headers via functions.php or .htaccess
- Node.js / Express — Use the Helmet middleware which sets all major security headers by default
Check Any Website Instantly
The HTTP Security Headers Checker works on any publicly accessible website — your own site, a competitor, a service you are evaluating, or a site you are auditing. It shows the full value of every security header found, flags missing ones, and displays all other response headers for a complete picture.
Run it on your own site first. Most sites get a C or D. Getting to an A takes less than an hour with the right server access.
