Free Tool
Free Security Headers Checker
Enter your URL to check which security headers are present and get a grade with specific recommendations to improve your security posture.
How it works
Enter your URL
Paste your website address into the checker above.
We check the headers
The tool fetches your page and inspects all HTTP security headers against best practices.
Review your grade
See which headers are present, missing or misconfigured with plain-language explanations.
What this tool checks
Strict-Transport-Security (HSTS)
Forces HTTPS connections and prevents downgrade attacks.
Content-Security-Policy (CSP)
Controls which resources the browser can load to block XSS attacks.
X-Frame-Options
Prevents clickjacking by blocking your site from being embedded in iframes.
X-Content-Type-Options
Stops browsers from guessing content types, blocking MIME-sniffing attacks.
Referrer-Policy and Permissions-Policy
Controls referrer information sharing and browser feature access.
Why security headers matter
Security headers are instructions your web server sends to browsers along with every page. They tell the browser what it is allowed to do and what it should block. Without them your site is more vulnerable to cross-site scripting (XSS), clickjacking, data injection and man-in-the-middle attacks.
Most modern web frameworks make it straightforward to add security headers. A few lines of configuration can block entire classes of attacks. Yet many websites still ship without basic headers because they are invisible to the naked eye.
Google also considers HTTPS and security signals as ranking factors. A properly secured site not only protects your visitors but can perform better in search results.
Frequently asked questions
What are HTTP security headers?
HTTP security headers are response headers that your web server sends to browsers. They instruct the browser on how to behave when handling your site's content, blocking attacks like XSS and clickjacking.
Why is my site getting an F grade?
An F grade means most recommended security headers are missing. This is common for sites using default server configurations. Adding headers usually takes a few minutes of server configuration.
How do I add security headers to my site?
The method depends on your hosting. For Apache use .htaccess, for Nginx use the server block config, for Vercel or Netlify use their headers config file. Most CDNs also let you add headers.
Does adding security headers slow down my website?
No. Security headers add a negligible amount of data to each response, typically less than 500 bytes. They have no measurable impact on page load speed.
Is Content-Security-Policy difficult to set up?
CSP can be complex for sites with many third-party scripts. Start with report-only mode to see what would be blocked before enforcing. A basic policy is straightforward to implement.
Do security headers affect SEO?
Indirectly yes. Google favours HTTPS sites and HSTS ensures HTTPS is always used. A secure site also builds user trust, reducing bounce rates which can improve rankings.
How often should I check my security headers?
Check after every deployment or server configuration change. Headers can be accidentally removed during updates. Regular monitoring catches regressions before attackers do.
Security is just one piece of the puzzle
Your security headers score tells part of the story. We also check cookie consent, GDPR compliance, accessibility and 120+ other compliance points.
Run free website scanโ