Security headers checker | Enhance Your Website Security

In your browser Updated 06/2026

Security Headers Technical Reference

Detailed information about each security header and its importance:

A powerful security header that helps prevent Cross-Site Scripting (XSS) and other code injection attacks. It allows you to specify which resources (scripts, styles, images, etc.) are allowed to be loaded by the browser.

Example:
default-src 'self'; script-src 'self' https://trusted.com;
Best Practice:

Start with a strict policy and gradually relax it as needed. Always include default-src directive.

Forces browsers to use HTTPS instead of HTTP for all future requests to your domain. This helps prevent protocol downgrade attacks and cookie hijacking.

Example:
max-age=31536000; includeSubDomains; preload
Best Practice:

Use a long max-age (at least 1 year) and include subdomains if applicable.

Prevents your website from being embedded in iframes on other sites, protecting against clickjacking attacks.

Example:
SAMEORIGIN
Best Practice:

Use DENY to completely prevent framing, or SAMEORIGIN to allow framing only from your own domain.

Enables the browser's built-in XSS filtering. While modern browsers are moving away from this header, it provides an additional layer of protection for older browsers.

Example:
1; mode=block
Best Practice:

Use "1; mode=block" to enable protection and block the page if an attack is detected.

Prevents browsers from MIME-sniffing a response away from the declared content type, reducing exposure to drive-by download attacks.

Example:
nosniff
Best Practice:

Always set to "nosniff" to prevent MIME type sniffing.

Controls how much referrer information should be included with requests. This helps protect user privacy by controlling what information is sent to other sites.

Example:
strict-origin-when-cross-origin
Best Practice:

Use "strict-origin-when-cross-origin" for a good balance of security and functionality.

Controls which browser features and APIs can be used on your website. This helps prevent abuse of sensitive browser features.

Example:
geolocation=(), microphone=(), camera=()
Best Practice:

Disable features you don't need and carefully control access to sensitive features.

Allows websites to specify which certificate authorities should be trusted for your domain. This helps prevent man-in-the-middle attacks.

Example:
pin-sha256="base64=="; max-age=5184000
Best Practice:

Include at least two pins and a backup plan. Note: This header is being deprecated in favor of Certificate Transparency.

Key Features

  • Comprehensive security headers analysis
  • Real-time header checking
  • Detailed recommendations for each header
  • Support for all major security headers
  • Easy-to-understand status indicators

Common Use Cases

  • Website security audits
  • Security compliance checking
  • Web development testing
  • Security policy implementation
  • Regular security monitoring

How to Use

  1. Enter the website URL you want to check
  2. Click the "Check Headers" button
  3. Wait for the analysis to complete
  4. Review the results and recommendations
  5. Implement suggested security improvements

Frequently Asked Questions

HTTP security headers are directives sent by a web server to instruct browsers on how to handle the site content. They protect against common attacks like cross-site scripting (XSS), clickjacking, and MIME-type sniffing.

Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options are considered the most critical. Together they prevent the majority of common web-based attacks.

Security headers are configured on your web server (Apache, Nginx) or through your application code. Each header requires specific directives added to your server configuration file or response headers.

Check after every deployment or configuration change, and run a periodic audit at least once a month to catch regressions introduced by new code or third-party scripts.

Content-Security-Policy (CSP) is widely considered the most impactful because it directly mitigates cross-site scripting (XSS), the most common web vulnerability. Strict-Transport-Security is a close second for any HTTPS site.

Check your website's HTTP security headers. Identify missing or misconfigured headers and get insights to improve security and compliance. Protect users from vulnerabilities.

What Is a Security Headers Checker?

A security headers checker scans the HTTP response headers a website sends and flags which protective headers are present or missing. The right headers defend visitors against attacks like cross-site scripting and clickjacking.