Internet Toolset

162+ Tools Comprehensive Tools for Webmasters, Developers & Site Optimization

Security Headers Checker - Analyze HTTP Security Headers

Security Headers Checker

Analyze HTTP security headers for any website.

https://

Understanding HTTP Security Headers

HTTP security headers are response headers that instruct browsers how to behave when handling your website's content. Properly configured security headers can protect your users from a wide range of attacks including cross-site scripting (XSS), clickjacking, MIME sniffing attacks, and man-in-the-middle attacks.

Essential Security Headers Explained

Strict-Transport-Security (HSTS)

Purpose: Forces browsers to only connect via HTTPS, preventing protocol downgrade attacks and cookie hijacking.

Recommended Value:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • max-age: How long (in seconds) to remember this policy (31536000 = 1 year)
  • includeSubDomains: Apply to all subdomains
  • preload: Allow inclusion in browser HSTS preload lists
Warning: Once HSTS is enabled, your site must support HTTPS continuously. Misconfiguration can make your site inaccessible.
Content-Security-Policy (CSP)

Purpose: Prevents XSS attacks by specifying which content sources are allowed to load on your page.

Example Value:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'

Key Directives:

  • default-src: Fallback for other directives
  • script-src: Controls JavaScript sources
  • style-src: Controls CSS sources
  • img-src: Controls image sources
  • connect-src: Controls AJAX, WebSocket, etc.
  • frame-ancestors: Controls who can embed your page (replaces X-Frame-Options)

Use our CSP Generator to create your policy.

X-Frame-Options

Purpose: Prevents clickjacking attacks by controlling whether your page can be embedded in iframes.

Possible Values:

  • DENY: Page cannot be displayed in a frame
  • SAMEORIGIN: Page can only be framed by same origin
  • ALLOW-FROM uri: Page can only be framed by specified origin (deprecated)
X-Frame-Options: SAMEORIGIN

Note: CSP's frame-ancestors directive is more flexible and is gradually replacing X-Frame-Options.

X-Content-Type-Options

Purpose: Prevents MIME type sniffing, where browsers try to guess content types. This can lead to security vulnerabilities when malicious content is interpreted as executable.

Recommended Value:

X-Content-Type-Options: nosniff

This header has only one valid value and should always be set.

X-XSS-Protection

Purpose: Enables the browser's built-in XSS filter. However, this header is largely deprecated as modern browsers have removed their XSS auditors.

Recommended Value:

X-XSS-Protection: 0

Modern recommendation: Disable this header and rely on CSP instead. The XSS auditor could itself be exploited in some cases.

Referrer-Policy

Purpose: Controls how much referrer information is sent when navigating from your site. Protects user privacy and prevents leaking sensitive URLs.

Common Values:

  • no-referrer: Never send referrer
  • same-origin: Only send for same-origin requests
  • strict-origin-when-cross-origin: Send full URL for same-origin, only origin for cross-origin HTTPS→HTTPS
  • no-referrer-when-downgrade: Default; send full referrer unless HTTPS→HTTP
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy (Feature-Policy)

Purpose: Controls which browser features and APIs can be used on your site, including geolocation, camera, microphone, and more.

Example Value:

Permissions-Policy: geolocation=(), camera=(), microphone=()

This example disables geolocation, camera, and microphone access entirely.

Why Security Headers Matter

The Cost of Insecurity

  • XSS Attacks: Attackers can steal session cookies, redirect users, or inject malware
  • Clickjacking: Users can be tricked into clicking hidden elements
  • Data Theft: Man-in-the-middle attacks can intercept unencrypted data
  • SEO Impact: Google considers HTTPS a ranking factor
  • User Trust: Browser warnings deter visitors from insecure sites

Security Headers and Compliance

Many security standards and regulations require proper security headers:

  • PCI DSS: Payment card industry standards require HTTPS and secure configurations
  • HIPAA: Healthcare data protection benefits from defense-in-depth measures
  • GDPR: Protecting user data includes technical measures like CSP
  • SOC 2: Security audits evaluate header configurations

Implementing Security Headers

Apache (.htaccess)

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Express.js (Node)

const helmet = require('helmet');
app.use(helmet());
Header Checklist
Grading Scale
  • A - All essential headers present
  • B - Most headers configured
  • C - Some headers missing
  • D/F - Critical headers missing
Related Tools