Security headers for

cloudflare.com

8/8 checks passed

A

grade · 100/100

HTTPS Served over HTTPS.

Strict-Transport-Security (HSTS) Forces browsers to use HTTPS. max-age=31536000; includeSubDomains

Content-Security-Policy A CSP is set — strong defense against XSS and injection. default-src 'self'; script-src 'self' 'unsafe-inline' 'unsa…

X-Frame-Options Clickjacking protection is in place. SAMEORIGIN

X-Content-Type-Options MIME-sniffing is disabled. nosniff

Referrer-Policy Referrer leakage is controlled. strict-origin-when-cross-origin

Permissions-Policy Browser feature access is restricted.

No version disclosure No tech/version details leaked in headers.

Want a free report like this for your site?

Run the same check on your own website in seconds — no login required.

Scan my website free

Security headers are instructions your server sends to every visitor's browser telling it how to behave safely. The right ones stop a huge range of attacks — cross-site scripting, clickjacking, protocol downgrade, and data leakage — for free, without changing a line of your site's code.

This tool fetches your site and grades the headers that matter: HSTS (forces HTTPS), Content-Security-Policy (blocks injection/XSS), X-Frame-Options (stops clickjacking), X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and whether your server is leaking its software version to attackers.

You'll get a letter grade and the exact headers to add. We can configure them all for you.

More free tools: Free Website & SEO Scan AI Search Visibility Checker Local SEO Score Checker Competitor Analysis Tool SSL Certificate Checker Email Deliverability Checker

Security Headers Checker report

Want a free report like this for your site?

Get a free website review