Quick device diagnostics

Security Headers Checker: Test CSP, HSTS, X-Frame-Options & More

Inspect HTTP security headers for a public website and review CSP, HSTS, clickjacking protection, referrer policy, permissions policy, and cross-origin isolation signals.

Header hardening

Security Headers Checker

Check the defensive HTTP headers returned by a public website.

Ready

The checker follows up to five public redirects and evaluates the final response.

Header results

Run a check to see security header details.

Security header scoreNo headers checked yet--/100

Security header findings will appear here after a successful check.

Why run a security headers checker online

A security headers checker online helps you confirm which defensive HTTP headers a public page is returning right now. These headers do not replace application security work, but they reduce exposure to common browser-side risks such as clickjacking, MIME sniffing, overly broad referrers, weak framing rules, and missing HTTPS enforcement.

How the test runs

The tool makes a server-side HTTP or HTTPS request to the public URL you enter, follows up to five public redirects, reads the final response headers, and grades the presence and basic quality of the most common security headers. It checks Strict-Transport-Security, Content-Security-Policy, frame protection through CSP or X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy.

How to interpret results

Start with missing failed headers, then review warnings where a header exists but may be weak for modern browsers. A high score means the final response exposes a strong baseline, while a low score means the site should review its web server, CDN, framework, or application header configuration.

  • HSTS helps browsers keep future requests on HTTPS after a secure visit.
  • CSP limits where scripts, styles, frames, images, and other resources may load from.
  • Frame protection helps reduce clickjacking risk.
  • Referrer and permissions policies reduce unnecessary browser data exposure.
  • COOP and CORP help isolate cross-origin browsing contexts and resources.

This check reports the headers returned by the final public response. It does not audit the whole application, prove the CSP is perfect, test private networks, or store personal data.

Related tools

Frequently Asked Questions

What does this security headers checker test?

It checks the HTTP response headers returned by a public URL. The report focuses on CSP, HSTS, frame protection, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, and CORP.

How does the security headers checker work?

The tool makes a server-side request to the URL you enter and reads the response headers. It then scores the headers against a conservative baseline for common browser security controls.

Can I test a domain without typing the protocol?

Yes. If you enter only a domain, the checker uses HTTPS by default. You can also enter a full HTTP or HTTPS URL when you want to inspect a specific path.

Does a perfect score mean my website is secure?

No. Security headers are one layer of browser hardening, not a complete security audit. A strong score means the checked response has a good header baseline, but the application still needs secure code, authentication, authorization, and infrastructure controls.

Why is HSTS important?

HSTS tells browsers to use HTTPS for future visits after a secure connection has been seen. It helps reduce downgrade and accidental plain HTTP exposure when configured with a meaningful max-age.

Why can Content-Security-Policy show a warning?

A CSP can exist but still allow risky patterns such as unsafe inline scripts or unsafe eval. The checker marks those cases as warnings because the header helps, but the policy may need tightening.

What is clickjacking protection?

Clickjacking protection limits whether another site can place your page inside a frame. It is usually configured with CSP frame-ancestors or the older X-Frame-Options header.

Why do results differ between the homepage and another URL?

Headers can be configured per route, CDN rule, framework response, or origin service. Test the exact URL users load because a homepage, login page, API route, and static asset can return different headers.

Does this checker follow redirects?

Yes. It follows up to five public HTTP or HTTPS redirects and evaluates the final response headers, because those are the headers users usually receive. The redirect chain is shown in the result so you can still review where the request moved.

Can this tool test private or local websites?

No. It is intended for public domains and public HTTP or HTTPS URLs. Localhost, private networks, internal hostnames, and reserved IP ranges are rejected.

Is it safe to use this security headers checker?

Yes. The checker only requests the public URL and reads response headers. It does not need credentials, does not modify the remote site, and does not store personal data.

Which header should I fix first?

Start with missing CSP, HSTS on HTTPS pages, frame protection, and X-Content-Type-Options. Then refine Referrer-Policy, Permissions-Policy, COOP, and CORP based on how your application embeds content and uses cross-origin resources.