HTTP Security Headers
Analyse your website security headers and get a grade from A+ to F. See exactly what is missing and how to fix it.
How to Use the Security Headers Checker
1. Enter your website URL (e.g. https://example.com)
2. Click Check — results appear in a few seconds
3. The large letter grade shows your overall security header score
4. Each security header is graded individually with a score and explanation
5. Missing headers show a recommendation for exactly what to add
6. Expand All Response Headers to see every header your server returns
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are instructions sent by your web server to the browser that tell it how to behave when handling your website. They protect against common attacks like cross-site scripting (XSS), clickjacking, and man-in-the-middle attacks. They are set in your web server configuration and cost nothing to implement.
What is Content Security Policy (CSP)?
CSP is a powerful header that tells the browser exactly which resources (scripts, styles, images, fonts) are allowed to load on your page. A strict CSP prevents attackers from injecting malicious scripts even if they find an XSS vulnerability. It is the most impactful security header you can add.
What is HSTS and why does max-age matter?
HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS when visiting your site for a set period (max-age in seconds). A max-age of 31536000 means 1 year. Once a browser receives this header, it will refuse to connect via HTTP for that duration, protecting users even if they type http:// manually.
How do I add security headers to my website?
The method depends on your web server. In Nginx, add headers inside a location block. In Apache, use the Header directive in .htaccess. In Caddy, use the header directive in your Caddyfile. In Cloudflare, you can add headers via Transform Rules. Most frameworks also allow setting headers in middleware.
Will adding security headers break my website?
HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are safe to add immediately. Content-Security-Policy requires more care — start with report-only mode to check what would be blocked before enforcing it, as a strict CSP can break inline scripts and styles.