Scan any website for security headers and get an instant security grade. Our Security Header Scanner checks for HSTS, Content Security Policy, X-Frame-Options, and 7 other critical headers, then provides actionable findings with severity levels and specific fix recommendations.

What Are Security Headers?

Security headers are HTTP response headers that instruct browsers how to handle your site’s content. They form a critical layer of defense against common web attacks including cross-site scripting (XSS), clickjacking, MIME-type sniffing, and protocol downgrade attacks. Despite being straightforward to implement, many websites still lack basic security headers, leaving users vulnerable to preventable attacks.

Headers We Check

Strict-Transport-Security (HSTS) — Forces browsers to use HTTPS for all future connections. Prevents protocol downgrade attacks and cookie hijacking. We check the max-age value, includeSubDomains directive, and preload eligibility. A max-age of at least 31536000 (one year) with includeSubDomains and preload is considered optimal. Defined in RFC 6797.

Content-Security-Policy (CSP) — Controls which resources the browser is allowed to load for a page. A well-configured CSP is the strongest defense against XSS attacks. We flag policies that use unsafe-inline or unsafe-eval, which significantly weaken protection. The W3C CSP specification provides full documentation.

X-Content-Type-Options — When set to nosniff, prevents browsers from MIME-type sniffing responses away from the declared content type. This stops attacks that exploit ambiguous content types to execute malicious code.

X-Frame-Options — Controls whether a page can be embedded in iframes. Set to DENY or SAMEORIGIN to prevent clickjacking attacks where attackers overlay invisible frames to trick users into clicking hidden elements.

Referrer-Policy — Controls how much referrer information is sent with requests. Strict policies like strict-origin-when-cross-origin prevent leaking sensitive URL paths to third parties.

Permissions-Policy — Restricts which browser features and APIs can be used on a page. Controls access to camera, microphone, geolocation, and other sensitive APIs. Prevents third-party scripts from accessing capabilities they should not have.

Cross-Origin-Opener-Policy (COOP) — Isolates the browsing context from cross-origin popup windows, preventing cross-origin attacks that exploit window references.

Cross-Origin-Resource-Policy (CORP) — Prevents resources from being loaded by other origins, adding protection against speculative side-channel attacks like Spectre.

Information Leak Detection

Beyond security headers, our scanner also checks for information leaks:

Server header — Reveals web server software and version (e.g., Apache/2.4.52). Attackers use this to target known vulnerabilities.
X-Powered-By header — Exposes the technology stack (e.g., PHP/8.1, Express). Should be removed to reduce attack surface.
Cookie security — Checks that cookies include Secure, HttpOnly, and SameSite attributes to prevent interception and cross-site attacks.

Understanding the Security Grade

Our grading system scores sites from 0 to 100, then maps to a letter grade:

A (90-100) — Excellent. All critical headers present and well-configured.
B (75-89) — Good. Most headers present with minor improvements needed.
C (60-74) — Fair. Several important headers missing or misconfigured.
D (40-59) — Poor. Major security headers absent.
F (0-39) — Critical. Minimal or no security headers in place.

Critical findings (missing HSTS or CSP) have the highest impact on the score, while informational findings (missing COOP or CORP) have a lighter impact.

Related Tools

For a quick overview of all HTTP response headers, use our HTTP Header Checker. To verify SSL/TLS certificate health, try the SSL Certificate Checker. For IP-level threat assessment, see the IP Reputation Check.

Security Header Scanner