Free Security Headers Checker
Check CSP, HSTS, X-Frame-Options and all HTTP security headers for any website. Get a grade and exact fix recommendations instantly.
HTTP security headers explained
Content-Security-Policy (CSP)
The most powerful XSS defense. Tells the browser which sources are allowed to load scripts, styles, images, and other resources. A missing or weak CSP is a critical finding.
Strict-Transport-Security (HSTS)
Forces browsers to always use HTTPS for your domain. Prevents SSL stripping attacks. Without HSTS, attackers can downgrade connections to HTTP.
X-Frame-Options
Prevents your page from being loaded inside an iframe on another domain. Protects against clickjacking attacks where users are tricked into clicking hidden elements.
X-Content-Type-Options
Prevents browsers from guessing content types (MIME sniffing). Without it, browsers might execute text files as JavaScript.
Referrer-Policy
Controls how much information is sent in the Referer header when navigating away from your site. Prevents leaking sensitive URL parameters to third parties.
Permissions-Policy
Controls access to browser APIs like camera, microphone, and geolocation. Limits what malicious scripts can do if they execute on your page.