Security Headers Checker
Grade your website's HTTP security headers from A to F. We check HSTS, Content-Security-Policy, clickjacking protection, MIME-sniffing, referrer leakage, and version disclosure — and tell you exactly what to add.
Security headers are instructions your server sends to every visitor's browser telling it how to behave safely. The right ones stop a huge range of attacks — cross-site scripting, clickjacking, protocol downgrade, and data leakage — for free, without changing a line of your site's code.
This tool fetches your site and grades the headers that matter: HSTS (forces HTTPS), Content-Security-Policy (blocks injection/XSS), X-Frame-Options (stops clickjacking), X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and whether your server is leaking its software version to attackers.
You'll get a letter grade and the exact headers to add. We can configure them all for you.
FAQs
What are HTTP security headers?
They're instructions your server sends to browsers to behave more safely — blocking attacks like cross-site scripting, clickjacking, and protocol downgrade. They're free and don't require code changes.
Which headers matter most?
HSTS (forces HTTPS), Content-Security-Policy (blocks injection/XSS), and X-Frame-Options (stops clickjacking) have the biggest impact. The rest add defense in depth.
Will adding these break my site?
A poorly written Content-Security-Policy can block legitimate scripts, so it needs care. The others are safe to add. We configure them correctly and test thoroughly.
Can you set these up for me?
Yes — we add and tune security headers as part of our hosting and security work. Get in touch.