HTTP Headers Check
Inspect the HTTP response headers returned by any web server. Check whether critical security headers like Content-Security-Policy, HSTS, and X-Frame-Options are present. Missing security headers can expose sites to XSS, clickjacking, and data-injection attacks.
Security Headers Explained
Security headers are HTTP response headers that instruct browsers how to handle your site's content. They provide a low-effort, high-impact layer of defense against common web attacks. For the fundamentals, read our guide to what HTTP headers are and our explainer on the difference between HTTP and HTTPS.
| Header | Protects Against | Recommended Value | Priority |
|---|---|---|---|
Content-Security-Policy |
Cross-site scripting (XSS), data injection, code injection | default-src 'self' |
Critical |
Strict-Transport-Security |
Protocol downgrade attacks, SSL stripping, MITM | max-age=31536000; includeSubDomains |
Critical |
X-Frame-Options |
Clickjacking attacks (embedding in iframes) | DENY or SAMEORIGIN |
High |
X-Content-Type-Options |
MIME-type confusion attacks | nosniff |
High |
Referrer-Policy |
Leaking sensitive URL paths to third-party sites | strict-origin-when-cross-origin |
Medium |
Permissions-Policy |
Unauthorized use of browser APIs (camera, location, etc.) | geolocation=(), microphone=() |
Medium |
X-XSS-Protection |
XSS in older browsers (IE/Edge legacy) | 1; mode=block |
Low |
Cache-Control |
Sensitive data cached in shared proxies or browser | no-store for private pages |
Medium |
Quick Implementation Guide
- Add security headers in your web server config (nginx, Apache) or application middleware.
- For nginx: use the add_header directive in your server block.
- For Apache: use Header set in .htaccess or httpd.conf.
- For Flask/Django/Express: use a middleware library like flask-talisman or helmet.js.
- Test after each change using this tool or securityheaders.com.
- Start with X-Content-Type-Options and X-Frame-Options - Zero breaking changes.
- Use CSP in report-only mode first to collect violations before enforcing.
Frequently Asked Questions
What are HTTP security headers?
Security headers are instructions a web server sends with every response that tell the browser to switch on protections. The most important are Content-Security-Policy (limits where scripts can load from), Strict-Transport-Security (forces HTTPS), X-Content-Type-Options (stops MIME sniffing), X-Frame-Options or frame-ancestors (blocks clickjacking), and Referrer-Policy. They cost nothing to send and shut down whole classes of attack.
How do I check the HTTP headers of a website?
Enter any URL in the form above to see the exact response headers the server sends, including the status code, server software, caching directives, cookie flags, and security headers. You can view the same data in your browser by opening developer tools, selecting the Network tab, and clicking a request, or from a terminal with curl -I followed by the URL.
What is HSTS and do I need it?
HTTP Strict-Transport-Security (HSTS) is a header that tells browsers to connect to your site only over HTTPS for a set period (the max-age), even if a user types a plain http:// address. It prevents protocol-downgrade and SSL-stripping attacks on untrusted networks. Any site served entirely over HTTPS should send it; without it, the very first request can still go out unencrypted.