Home All Tools Security Analysis Security Headers Scanner

Security Headers Scanner

Grade your website's HTTP security headers configuration

Related Tools

SSL Checker

Verify SSL certificate details and validity

HTTP Headers Checker

Inspect response headers and server info

Port Scanner

Scan common ports (21, 22, 80, 443, etc.)

Email Security Checker

Check SPF, DKIM, DMARC records

URL Redirect Checker

Track 301/302 redirect chains

What is a Security Headers Scanner?

Security Headers Scanner is a tool to analyze HTTP response headers of a website to check its security configuration. HTTP security headers are instructions that a server sends to the browser to set security rules, block common web attacks, and safeguard end users against bad actors.

We check for 6 critical security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and give a letter grade mark, and show all of the response headers in order to get the big picture.

What are the Security Headers checked?

  • Content-Security-Policy (CSP) — Specifies which sources of content are allowed to be loaded by browser. XSS attack prevention, data injection prevention, unauthorized resource loading prevention.
  • Strict-Transport-Security (HSTS) — Makes the browser use HTTPS for this domain always. Resists downgrade attacks and SSL stripping.
  • X-Frame-Options — Sets whether or not the page can be included in frames. Protects against clickjacking by setting values such as DENY or SAMEORIGIN.
  • X-Content-Type-Options — Makes a response harder to be MIME-sniffed away from the declared content type by a browser. Must be protected by nosniff.
  • Refuge-Policy — Specifies the amount of referrer information that can be passed when moving away from your site. These are recommended values: strict-origin-when-cross-origin or no-referrer.
  • Permissions-Policy — Limits access to the browser's features (such as camera, microphone, geolocation, etc.) on your site or embedded iframes.

How are you graded?

Your site is awarded a letter grade (A+ to F) according to the number of security headers that are present:

  • A+ — All 6 headers present (90–100%)
  • A — 5 of 6 headers present (75–89%)
  • B — 4 of 6 headers present (60–74%)
  • C — 3 of 6 headers present (40–59%)
  • D — 1–2 of 6 headers present (20–39%)
  • F — No security headers detected (0–19%)

This scoring model provides you with a quick view of your site's web security position on HTTP. The higher the grade, the greater the protection from typical web attacks.

Read the instructions on how to use the security headings scanner.

It only takes a few seconds to scan your site's security headers:

  • Type in a web site address (e.g. https://example.com) or a domain name (e.g. example.com).
  • Click the Scan Security Headers button.
  • Check the letter grade, headers missing and full response headers.

Why is it important to have security headers?

One of the easiest and most effective security measures available to help protect your site from common attacks is by using security headers. They need no extra software, no modifications on the server (other than adding headers) and no performance impact. However, they do protect against:

  • Cross-Site Scripting (XSS) — Blocked with a properly configured Content-Security-Policy.
  • Clickjacking is prevented using X-Frame-Options.
  • MIME Sniffing Attacks — Mitigated by X-Content-Type-Options.
  • Protocol Downgrade — Prevented by HSTS.
  • Information Leakage — controlled by Referrer-Policy.
  • Unauthorized Feature Access: Restricted by Permissions-Policy.

The following table gives a list of the recommended header values.

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY or SAMEORIGIN
  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • Referrer-Policy: strict-origin-when-cross-origin or no-referrer
  • Content-Security-Policy: customized to your application (e.g. default-src 'self'; script-src 'self')
  • Permissions-Policy: camera=(), microphone=(), geolocation=()

Privacy

We make direct HEAD to the target URL and show the response headers in your browser. We're not storing your IP address, what headers are returned, or the URLs you scan. There's no account, rate limits or captchas to use the Security Headers Scanner.

Frequently Asked Questions

HTTP security headers are the headers used to secure the transmission of data over the HyperText Transfer Protocol.

HTTP security headers are the response headers that are sent by a Web server that tell the browser to enforce security policies. They can provide protection against attacks such as XSS, clickjacking, MIME sniffing, and protocol downgrade without requiring any changes in application code.

Yes, the Security Headers Scanner is free.

Yes. There is no sign-up or limit of daily scans on our Security Headers Scanner and no captchas are required.

What level of grade should my website be?

Try to achieve a grade of no less than a B. All 6 security headers are present is A+. For even the simplest of sites, it's best to set X-Content-Type-Options and X-Frame-Options as a minimum.

Does scanner redirect?

Yes. The scanner traces redirects (up to 10 hops) and tests finally destination URL security headers. The redirect chain and final URL are both shown in the results.

What are the steps to implementing security headers on my website?

Security headers can be added via your web server configuration. If you're using Apache, use Header set in the .htaccess file. Use add_header for Nginx. Use Cloudflare's header transformation features for cloud platforms such as Cloudflare. Many CDNs will also allow header injection.

What is the difference between CSP and X-Frame-Options?

X-Frame-Options only affects embedding of iframes (clickjacking protection). Content-Security-Policy is a more general policy that affects all resources, including scripts, styles, images, fonts, iframes and more. CSP can also be implemented with frame-ancestors directive instead of X-Frame-Options.

Will this scanner scan for all security headers?

Our scanner checks the six most impactful and widely-recommended security headers. Other headers such as Clear-Site-Data, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy offer further protection and are not as widely used.