Link Tools Dereferer Hide Referrer Link URL Shortener Affiliate Cloaker PayPal Links PayPal DonationPayPal Links Privacy Tools Password Generator Cloudflare Resolver My Referrer Torrent Tools Magnet → Torrent Torrent → Magnet Torrent Editor Pirate Bay Proxies Movierulz Proxies ExtraTorrent Proxies Dev Tools Base64 Encoder Hash Generator HTTP Headers Disposable Email Checker Company Blog About Us Contact Anonymize Free
Security Tool

HTTP Security Headers Checker

Enter any website URL to instantly check its security response headers and get an A–F grade. Identifies missing CSP, HSTS, X-Frame-Options and more.

Try: google.com   github.com   cloudflare.com   wordpress.com
📖 Security Headers Reference
🛡️
Content-Security-Policy (CSP)
Critical — The most powerful security header. Defines which sources can load scripts, styles, images and other resources. Prevents XSS attacks by blocking inline scripts and unauthorized domains.
Critical
🛡️
Strict-Transport-Security (HSTS)
Critical — Forces browsers to always connect via HTTPS, even if the user types http://. Prevents SSL stripping attacks. The max-age value determines how long this rule is cached.
Critical
🛡️
X-Frame-Options (XFO)
Important — Prevents your site from being embedded in iframes on other domains. Stops clickjacking attacks where attackers overlay invisible frames over your pages.
Important
🛡️
X-Content-Type-Options (XCTO)
Important — Prevents browsers from guessing (sniffing) the content type of responses. Always set to nosniff — stops MIME-type confusion attacks.
Important
🛡️
Referrer-Policy (RP)
Moderate — Controls how much referrer information is sent when navigating from your site. no-referrer or strict-origin-when-cross-origin are the recommended values.
Moderate
🛡️
Permissions-Policy (PP)
Moderate — Controls access to browser features like camera, microphone, geolocation and payment APIs. Prevents malicious scripts from accessing sensitive device capabilities.
Moderate
🛡️
X-XSS-Protection (XSS)
Low — Legacy XSS filter for old browsers. Modern browsers have built-in protections. Setting 1; mode=block is still recommended for compatibility, but CSP is the modern replacement.
Low

Frequently Asked Questions

What is an HTTP security headers checker?
It fetches the response headers from any website and checks whether key security headers like CSP, HSTS, X-Frame-Options and X-Content-Type-Options are present and correctly configured. It then assigns a grade from A (all headers set correctly) to F (most headers missing).
What grade should my website get?
A or B is the target. A means all critical and important headers are set correctly. B means minor issues. C and below means significant security headers are missing. F means most security headers are absent — common on older or poorly configured sites.
How is the grade calculated?
The grade is based on the presence and validity of 7 key security headers: Content-Security-Policy (highest weight), Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and X-XSS-Protection. Missing critical headers drop the grade significantly.
What is the difference between this and the HTTP Headers Checker?
The HTTP Headers Checker shows the request headers YOUR BROWSER sends to websites. The HTTP Security Headers Checker scans a website's RESPONSE headers to see how well it protects its visitors. They are opposite directions of the same connection.
How do I add security headers to my website?
For Apache add them in .htaccess using Header set directives. For Nginx add them in your server block. For Cloudflare use Transform Rules. For most frameworks there are middleware packages. The exact directives for each header are documented on MDN Web Docs.
Does this tool store the URLs I check?
No. The check is performed server-side using a HEAD request, results are returned to your browser and nothing is logged or stored. The tool is completely stateless.
Related tools: HTTP Headers Checker SSL Certificate Check CORS Checker DNS Lookup WHOIS Lookup Port Scanner
Done!