Analyze your website security: headers, HTTPS, cookies, and information disclosure checks
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade from A to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.The security check tool analyzes HTTP response headers and evaluates the website protection level. Key security headers are checked: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Use this tool to audit security headers before launching a website, after server migration, or as part of regular security reviews. Each header is scored individually, and you receive a total security grade from A+ to F. The tool checks for common misconfigurations such as missing HSTS, overly permissive CSP, missing clickjacking protection, and outdated X-XSS-Protection headers.
For deeper analysis, combine with our SSL certificate checker to verify TLS configuration and HTTP headers reference to understand each header's purpose. Regular security header monitoring helps maintain compliance with OWASP recommendations and protects your users from XSS, clickjacking, and data injection attacks.
Top 5 essential headers: Content-Security-Policy (XSS protection), Strict-Transport-Security (forced HTTPS), X-Content-Type-Options (nosniff), X-Frame-Options (clickjacking protection), Permissions-Policy (API restrictions).
In nginx, add add_header in the server block. In Apache, use Header set in .htaccess or config. In PHP, use the header() function. For Cloudflare, use Transform Rules. Verify the result with our tool after configuration.
A high security score means your site is protected against major web vulnerabilities. This increases user trust, improves SEO (Google considers HTTPS and headers), and reduces the risk of hacking and data leaks.
CSP is a header that defines where the browser can load resources from (scripts, styles, images). Primary protection against XSS attacks. Example: default-src 'self' blocks all external resources.
Use the X-Frame-Options: DENY or SAMEORIGIN header to prevent embedding your site in iframes on other domains. The modern alternative is CSP with the frame-ancestors directive.
The X-Content-Type-Options: nosniff header prevents the browser from "guessing" the MIME type of a file. Without it, the browser may interpret a text file as a script, creating a vulnerability to MIME-sniffing attacks.
Permissions-Policy (formerly Feature-Policy) is a header that controls access to browser APIs: camera, microphone, geolocation, autoplay. It is recommended to disable unused APIs to minimize the attack surface.