Security Header Checker

Validate HTTPS, HSTS, CSP, and anti-clickjacking headers before you ship. Share copy-ready values with ops, security, or compliance.

Run your first scan to visualize HTTPS, HSTS, CSP, and anti-clickjacking headers here.

What are security headers?

Security headers such as Strict-Transport-Security, Content-Security-Policy, and X-Frame-Options act as guardrails for every HTTP response. They enforce HTTPS, block clickjacking, and prevent MIME sniffing so attackers can’t downgrade or hijack your sessions.

Why scan them before launch?

Header policies silently break whenever you change CDNs, reverse proxies, or frameworks. This tool fetches your site exactly like a browser would, catches missing directives, and gives you copy-ready values to paste into infra tickets.

Critical defenses

HTTPS + HSTS — Force TLS and pin the browser to https:// for all future visits.
Content-Security-Policy — Lock down scripts, styles, and frames to trusted origins.
X-Frame-Options — Stop clickjacking with DENY or SAMEORIGIN fallback.

Hygiene extras

X-Content-Type-Options — Set nosniff so browsers don’t guess MIME types.
Referrer-Policy — Keep sensitive query params out of downstream redirects.
Permissions-Policy — Control access to camera, microphone, and other APIs.

Complete Website Analysis

Check everything at onceand much more

Launch a free analysis in under 30 seconds. Get performance, SEO, and trust scores with actionable fixes—all in one dashboard.

All SEO checks

Performance

Trust scoring

Daily monitoring

Certified reports

Start Website Analysis

FAQ

Everything you need tosecure headers

Get answers to the most common questions about HTTPS enforcement, HSTS, CSP, and anti-clickjacking policies.

Enter any publicly reachable URL and we’ll fetch the response to inspect HTTPS, Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options exactly as browsers see them.

HSTS tells browsers to only use HTTPS for future visits, blocking downgrade attacks and cookie theft. Without it, users can still be forced onto insecure HTTP.

At minimum lock script-src, style-src, img-src, and connect-src to trusted hosts. Add nonces or hashes for inline scripts and disallow * where possible.

frame-ancestors in CSP is modern, but adding X-Frame-Options keeps older browsers protected. Most teams ship both for maximum coverage.

No. Each scan runs on demand, renders inside your browser, and is immediately discarded. Nothing is persisted or shared.

Scan whenever you migrate hosting, change CDNs, deploy a new proxy, or notice TLS/redirect changes. Header regressions usually happen during infra work.

As long as the staging URL is publicly accessible (or temporarily allowlisted), you can run the audit and share the output with your team.

Yes. The detail panel shows every header exactly as returned by your origin so you can screenshot or paste into SOC 2 and PCI evidence.

A perfect 100/100 means HTTPS, HSTS, CSP, X-Frame-Options, and X-Content-Type-Options are all configured. Anything less highlights the missing directives.

Copy the header values directly from the report or rerun the scan whenever you need fresh evidence for change requests.