HTTP Header Checker - Security Header Audit

About This Tool

Inspect HTTP response headers and get an instant security grade for any website with this free header checker. Enter a URL, and the tool fetches the full set of response headers returned by the server, then scores the site from A+ to F based on the presence and configuration of eight critical security headers. You also get a redirect chain breakdown, response time measurement, and server identification data. Results appear in seconds with clear pass, warning, and fail indicators for each header. HTTP headers are metadata sent by a web server alongside every response. They control how browsers handle content, enforce security policies, manage caching behavior, and enable cross-origin resource sharing. Misconfigured or missing security headers leave a site vulnerable to cross-site scripting (XSS), clickjacking, man-in-the-middle attacks, and data injection. Regularly auditing your headers is one of the simplest steps you can take to harden a website against common attack vectors. This tool is free, requires no signup, and works with any publicly accessible URL. The audit covers Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and Cross-Origin isolation headers. Each check includes a specific recommendation so you know exactly what to fix and why it matters.

What Are HTTP Security Headers?

HTTP security headers are response headers that instruct browsers to enable specific security mechanisms. Unlike application-level defenses (input validation, authentication), security headers work at the transport layer and apply automatically to every page load. Here are the most important ones:

Content-Security-Policy (CSP) defines which sources of scripts, styles, images, and other resources the browser should trust. A well-configured CSP blocks inline scripts and prevents most XSS attacks.
Strict-Transport-Security (HSTS) tells browsers to only connect via HTTPS for a specified duration. Once set, even if a user types "http://", the browser upgrades to HTTPS automatically.
X-Content-Type-Options with the value "nosniff" prevents browsers from guessing the MIME type of a resource. This stops attacks where a file is served with a wrong content type to trick the browser into executing it.
X-Frame-Options blocks other sites from embedding your pages in iframes, which is the primary defense against clickjacking attacks.

Understanding the Security Grade

The security grade is calculated on a 100-point scale across eight header categories. Each header contributes a fixed number of points based on its importance to overall security posture:

A+ (90-100 points): All critical headers are present and correctly configured. The site follows security best practices.
A (80-89 points): Strong security with minor gaps. Most headers are properly set.
B (60-79 points): Good baseline security. Some headers like Permissions-Policy or Cross-Origin headers may be missing.
C (40-59 points): Moderate security. Key headers like CSP or HSTS are likely absent.
D (20-39 points): Weak security. The site is missing most recommended security headers.
F (0-19 points): Critical gaps. The site has almost no security headers configured.

Most production websites score between B and C. Reaching A+ requires deliberate configuration of all eight header types, which is uncommon outside of security-focused organizations.

How to Add Security Headers

The method for adding security headers depends on your web server or hosting platform:

Nginx: Add headers in your server block using add_header directives. For example: add_header X-Frame-Options "DENY" always;
Apache: Use Header set directives in your .htaccess file or virtual host configuration.
Cloudflare: Use Transform Rules or Workers to inject headers into responses.
AWS CloudFront: Use Response Headers Policies to add security headers at the CDN level.
Vercel/Netlify: Configure headers in vercel.json or _headers file respectively.

Start by adding HSTS and X-Content-Type-Options, which rarely cause compatibility issues. Then implement X-Frame-Options and Referrer-Policy. CSP is the most powerful but also the most complex header to configure correctly. Use report-only mode first to identify legitimate resources your CSP needs to allow before enforcing it.

Common Header Mistakes

Even when security headers are present, misconfigurations can reduce their effectiveness or break site functionality:

CSP too permissive: Using unsafe-inline and unsafe-eval in CSP negates most of its protection against XSS. Aim to remove these directives by refactoring inline scripts.
Short HSTS max-age: A max-age under 31536000 seconds (1 year) means the browser forgets the HTTPS-only rule quickly. Short values also prevent inclusion in the HSTS preload list.
Exposing server info: The Server and X-Powered-By headers reveal your technology stack to attackers. Remove or obscure these in production.
Missing on subdomains: HSTS without includeSubDomains leaves subdomains vulnerable to downgrade attacks. Add this directive once all subdomains support HTTPS.

Frequently Asked Questions

What is the most important HTTP security header?

Content-Security-Policy (CSP) is considered the most impactful single security header because it prevents a wide range of attacks including cross-site scripting (XSS), data injection, and content spoofing. A strict CSP blocks unauthorized scripts from executing, which is the root cause of most web application attacks. HSTS is a close second because it prevents protocol downgrade attacks and cookie hijacking over unencrypted connections.

Why does my site get a low security grade even with HTTPS?

HTTPS encrypts data in transit but does not add security headers to your responses. Security headers are configured separately on your web server or CDN. A site can have a valid SSL certificate and still score an F if no security headers are returned. HTTPS handles transport encryption, while security headers handle browser behavior enforcement. You need both for comprehensive protection.

Will adding security headers break my website?

Most security headers are safe to add without side effects. X-Content-Type-Options, X-Frame-Options, and Referrer-Policy rarely cause issues. HSTS is safe if your site already works fully over HTTPS. Content-Security-Policy is the header most likely to cause breakage because it restricts which scripts, styles, and resources the browser loads. To avoid issues, deploy CSP in report-only mode first using the Content-Security-Policy-Report-Only header, monitor violations, then switch to enforcement once you have whitelisted all legitimate sources.

How often should I audit my HTTP headers?

Run a header audit after every deployment that changes your server configuration, CDN settings, or hosting platform. At minimum, check headers monthly to catch configuration drift from infrastructure updates. Automated CI/CD checks that verify expected headers are present after each deploy provide the best coverage. Framework upgrades, plugin updates, and CDN policy changes can silently remove or alter security headers.

What is the difference between X-Frame-Options and CSP frame-ancestors?

Both headers prevent clickjacking by controlling iframe embedding, but CSP frame-ancestors is the modern replacement. X-Frame-Options only supports DENY, SAMEORIGIN, and ALLOW-FROM (deprecated in most browsers). CSP frame-ancestors supports multiple origins, wildcards, and scheme restrictions. If both headers are present, frame-ancestors takes priority in modern browsers. For maximum compatibility, set both headers until you can drop support for older browsers that do not recognize CSP.