All Tools

Security Headers Analyzer

Check HTTP security headers for any domain.

HTTP security headers are instructions a web server sends with every response to tell browsers how to behave. They form a critical defense layer against common attacks without requiring changes to your application code.

Key headers and what they prevent:

  • Content-Security-Policy (CSP) — Prevents cross-site scripting (XSS) by restricting which scripts, styles, and resources the browser may load.
  • Strict-Transport-Security (HSTS) — Forces browsers to use HTTPS only, preventing man-in-the-middle (MITM) and protocol downgrade attacks.
  • X-Frame-Options — Prevents clickjacking by controlling whether your site can be embedded in iframes.
  • X-Content-Type-Options — Prevents MIME-type sniffing, stopping browsers from executing files as a different type than declared.
  • X-XSS-Protection — Legacy browser filter for reflected XSS (deprecated in modern browsers but still useful).
  • Referrer-Policy — Controls how much referrer data is sent to other sites, protecting privacy and sensitive URLs.
  • Permissions-Policy — Restricts which browser features (camera, microphone, geolocation) the page can use.

This tool sends a request to the target domain and evaluates each header, scoring your configuration from A (best) to F (critical gaps).

cloudflare.comgithub.comgoogle.com
Want the full picture?
Run a free Website Health Check →

Common questions

Key security headers include Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.

The score is based on which recommended headers are present and properly configured. Each missing or misconfigured header reduces your grade.

No. The scan runs in real-time and no results are saved to any server or database.