Free Security Header Checker

What this tool checks

This tool inspects the HTTP response headers your server sends and evaluates them against security best practices. It checks for Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy (COOP), and Cross-Origin-Embedder-Policy (COEP). It also checks for server information disclosure and secure cookie flags.

Why it matters

Security headers are your server's first line of defense against common web attacks. Without a Content-Security-Policy, your site is vulnerable to cross-site scripting (XSS). Without X-Frame-Options, attackers can embed your site in an iframe for clickjacking. Missing HSTS allows protocol downgrade attacks. These headers cost nothing to implement but significantly reduce your attack surface.

Common issues we find

• Missing Content-Security-Policy header, leaving the site vulnerable to XSS attacks
• No Strict-Transport-Security (HSTS) header, allowing SSL stripping attacks
• X-Frame-Options not set, enabling clickjacking attacks
• Server header disclosing software version information to attackers
• Missing Permissions-Policy, allowing third-party scripts to access device features