Free Tool

HTTP Security Headers Checker

Analyze any website's HTTP response headers and get a security score. Instant, free, no signup required.

Other Free Tools

🔒 SSL Checker 🌐 DNS Lookup HTTP Checker 🔌 Port Checker 🔍 WHOIS Lookup

What Are HTTP Security Headers?

HTTP security headers are directives sent by a web server in every HTTP response. They tell browsers how to behave when handling your site's content, forming a critical layer of defense against common web vulnerabilities like cross-site scripting (XSS), clickjacking, and data injection attacks.

Even if your application code is secure, missing headers leave the door open for attackers to exploit browser behavior. A properly configured set of security headers takes minutes to add and dramatically reduces your attack surface.

Essential Security Headers Explained

Strict-Transport-Security (HSTS)

HSTS tells browsers to only connect to your site over HTTPS. Once a browser sees this header, it will refuse to make insecure HTTP connections for the specified duration. This prevents protocol downgrade attacks and cookie hijacking. Example: Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy (CSP)

CSP defines which resources (scripts, styles, images, fonts) the browser is allowed to load. It is the most powerful defense against XSS attacks because it blocks unauthorized inline scripts and external resources. Example: Content-Security-Policy: default-src 'self'; script-src 'self'

X-Frame-Options

This header controls whether your pages can be embedded in <iframe> elements on other sites. Setting it to DENY or SAMEORIGIN prevents clickjacking attacks where an attacker overlays your page with an invisible frame to trick users into clicking hidden buttons.

X-Content-Type-Options

When set to nosniff, this header prevents browsers from MIME-type sniffing a response away from the declared Content-Type. Without it, a browser might interpret a file as a script or HTML, enabling injection attacks through uploaded files.

Referrer-Policy

Referrer-Policy controls how much referrer information is included when navigating away from your site. Policies like strict-origin-when-cross-origin prevent leaking sensitive URL paths to third-party sites while still providing origin information for analytics.

Permissions-Policy

Permissions-Policy (formerly Feature-Policy) lets you control which browser features and APIs can be used on your site. You can disable access to the camera, microphone, geolocation, and more for embedded content and even for your own pages. Example: Permissions-Policy: camera=(), microphone=(), geolocation=()

How to Improve Your Score

Getting a perfect 6/6 score is straightforward. Add the missing headers to your web server or CDN configuration. Most headers require just a single line in your Nginx, Apache, or Cloudflare settings:

1. Run a scan with this tool to see which headers are missing.
2. Add the missing headers to your server config or CDN rules.
3. Re-scan to verify the changes are live.
4. Set up continuous monitoring with Valpero to get alerts if a header is ever removed during deployments.

Frequently Asked Questions

What security headers does this check?
This tool checks six essential security headers: HSTS (Strict-Transport-Security), CSP (Content-Security-Policy), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each header is scored as present or missing, and you get an overall security score out of 6.
What is a good security score?
Aim for a score of 5/6 or higher. A perfect 6/6 means all essential security headers are present and correctly configured. Most well-maintained sites score at least 4/6. If you score below that, you should prioritize adding the missing headers.
Why do security headers matter?
Security headers prevent common web attacks such as cross-site scripting (XSS), clickjacking, and MIME-type sniffing. They instruct browsers to enforce security policies that protect your visitors. Without them, even secure application code can be exploited through browser behavior.
What is HSTS?
HSTS (HTTP Strict Transport Security) forces browsers to use HTTPS connections only. Once set, the browser will refuse to connect over plain HTTP for the specified duration. This prevents protocol downgrade attacks and cookie hijacking, ensuring all communication between the user and your server is encrypted.
Can I monitor my headers continuously?
Yes. Valpero tracks your HTTP headers around the clock and sends instant alerts via Telegram, Slack, or email whenever a header changes or is removed. This is especially useful after deployments when configuration can accidentally regress. The free plan includes header monitoring.

Monitor Security Headers 24/7

Get instant alerts when security headers change or disappear. Free forever — no credit card required.

Start Monitoring Free
Free plan includes SSL monitoring, status page, and multi-region checks