Security Headers Checker
Evaluate your website's HTTP security headers with our comprehensive checker. Identify missing or misconfigured headers, and receive actionable insights to enhance your site's security posture. Ensure compliance with best practices and protect your users from potential vulnerabilities.
Security Headers Technical Reference
Detailed information about each security header and its importance:
A powerful security header that helps prevent Cross-Site Scripting (XSS) and other code injection attacks. It allows you to specify which resources (scripts, styles, images, etc.) are allowed to be loaded by the browser.
default-src 'self'; script-src 'self' https://trusted.com;Start with a strict policy and gradually relax it as needed. Always include default-src directive.
Forces browsers to use HTTPS instead of HTTP for all future requests to your domain. This helps prevent protocol downgrade attacks and cookie hijacking.
max-age=31536000; includeSubDomains; preloadUse a long max-age (at least 1 year) and include subdomains if applicable.
Prevents your website from being embedded in iframes on other sites, protecting against clickjacking attacks.
SAMEORIGINUse DENY to completely prevent framing, or SAMEORIGIN to allow framing only from your own domain.
Enables the browser's built-in XSS filtering. While modern browsers are moving away from this header, it provides an additional layer of protection for older browsers.
1; mode=blockUse "1; mode=block" to enable protection and block the page if an attack is detected.
Prevents browsers from MIME-sniffing a response away from the declared content type, reducing exposure to drive-by download attacks.
nosniffAlways set to "nosniff" to prevent MIME type sniffing.
Controls how much referrer information should be included with requests. This helps protect user privacy by controlling what information is sent to other sites.
strict-origin-when-cross-originUse "strict-origin-when-cross-origin" for a good balance of security and functionality.
Controls which browser features and APIs can be used on your website. This helps prevent abuse of sensitive browser features.
geolocation=(), microphone=(), camera=()Disable features you don't need and carefully control access to sensitive features.
Allows websites to specify which certificate authorities should be trusted for your domain. This helps prevent man-in-the-middle attacks.
pin-sha256="base64=="; max-age=5184000Include at least two pins and a backup plan. Note: This header is being deprecated in favor of Certificate Transparency.
Key Features
- Comprehensive security headers analysis
- Real-time header checking
- Detailed recommendations for each header
- Support for all major security headers
- Easy-to-understand status indicators
Common Use Cases
- Website security audits
- Security compliance checking
- Web development testing
- Security policy implementation
- Regular security monitoring
How to Use
- Enter the website URL you want to check
- Click the "Check Headers" button
- Wait for the analysis to complete
- Review the results and recommendations
- Implement suggested security improvements