Security Headers Checker Free Online Tool 2026

Free online utility. 100% client-side processing with no signup required.

Free & instant 100% client-side No signup needed

Use Security Headers Checker

Enter your data below to use the Security Headers Checker

📌 Try these examples:
RESULT

Last updated

Security Headers Checker Examples

The Security Headers Checker analyzes the HTTP response headers returned by any web server and reports on their presence, configuration, and effectiveness. Below are examples of what the checker evaluates, common findings, and how to fix them.

Example Check Result: Missing Critical Headers

Checking https://example.com might return a report like this:

Security Headers Report for: https://example.com

Grade: D

✗ Content-Security-Policy    — MISSING
✗ Strict-Transport-Security  — MISSING
✓ X-Frame-Options            — SAMEORIGIN (OK)
✓ X-Content-Type-Options     — nosniff (OK)
✗ Referrer-Policy            — MISSING
✗ Permissions-Policy         — MISSING
✗ Cross-Origin-Opener-Policy — MISSING

Content-Security-Policy (CSP)

CSP is the most powerful security header. It controls which resources the browser is allowed to load, preventing cross-site scripting (XSS) attacks.

Weak CSP (flags as warning):

Content-Security-Policy: default-src *; script-src 'unsafe-inline' 'unsafe-eval'

Strong CSP (passes check):

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'nonce-abc123'; img-src 'self' data: https:; frame-ancestors 'none'

Adding CSP in Express.js with Helmet:

const helmet = require('helmet');

app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "https://cdn.example.com"],
    styleSrc: ["'self'", "'nonce-abc123'"],
    imgSrc: ["'self'", "data:", "https:"],
    frameAncestors: ["'none'"]
  }
}));

Strict-Transport-Security (HSTS)

HSTS forces browsers to use HTTPS for all future requests, preventing protocol downgrade attacks.

Insufficient (max-age too short):

Strict-Transport-Security: max-age=300

Recommended configuration:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Adding HSTS in Nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Adding HSTS in Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

X-Frame-Options

Prevents clickjacking by controlling whether the page can be embedded in iframes.

# Deny all framing
X-Frame-Options: DENY

# Allow framing from same origin only
X-Frame-Options: SAMEORIGIN

Note: For more granular control (allowing specific third-party origins), use the CSP frame-ancestors directive instead:

Content-Security-Policy: frame-ancestors 'self' https://trusted-partner.com

X-Content-Type-Options

Prevents MIME type sniffing, which can allow browsers to execute files as a different type than declared.

X-Content-Type-Options: nosniff

Referrer-Policy

Controls how much referrer information is sent with requests, protecting user privacy.

# Recommended: send origin only for same-origin, nothing for cross-origin
Referrer-Policy: strict-origin-when-cross-origin

# Most restrictive: never send referrer
Referrer-Policy: no-referrer

Permissions-Policy

Controls access to browser features like camera, microphone, and geolocation.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

Cross-Origin Headers (Modern)

Required for certain browser features like SharedArrayBuffer:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-origin

Full Recommended Header Set (Nginx)

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;

Security Grade Scale

Run the checker before deploying a new site and after any server configuration changes to catch missing headers before they become a security liability in production.

Frequently Asked Questions

Simply enter your data, click the process button, and get instant results. All processing happens in your browser for maximum privacy and security.

Yes! Security Headers Checker is completely free to use with no registration required. All processing is done client-side in your browser.

Absolutely! All processing happens locally in your browser. Your data never leaves your device, ensuring complete privacy and security.