Skip to content
Skip to content
API Pricing RU Sign In

Security Headers Check — Free Tool

Analyze your website security headers: HSTS, Content-Security-Policy, X-Frame-Options, and more. Get a score and actionable recommendations.

Try it now — free →
🛡
HeadersCSP, HSTS, X-Frame-Options, etc.
🔒
SSL/TLSEncryption and certificate
🔧
ConfigurationServer settings and leaks
🎯
Grade A-FOverall security score

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade from A to F shows overall security level.

🛡

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

🔒

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

🔎

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

📋

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Related tools

🔒SSL CheckPageSpeed🔓Mixed Content🩺Health Score

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation