HTTP Response Headers Checker

Analyze HTTP response headers and get a security grade. Check for CSP, HSTS, X-Frame-Options, and more.

Enter a URL to check its HTTP response headers

Why Security Headers Matter

HTTP security headers are your first line of defense against common web attacks. They instruct browsers on how to handle your content securely, preventing attacks like:

🛡️ XSS Attacks
CSP prevents malicious script injection
🖼️ Clickjacking
X-Frame-Options blocks iframe embedding
🔒 Downgrade Attacks
HSTS forces HTTPS connections
📄 MIME Sniffing
X-Content-Type-Options prevents type confusion

Critical Security Headers

Content-Security-Policy (CSP)

The most powerful security header. CSP defines which sources of content are allowed to load, effectively preventing XSS attacks by blocking unauthorized scripts.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

Strict-Transport-Security (HSTS)

Forces browsers to always use HTTPS, even if the user types http://. Prevents man-in-the-middle attacks and cookie hijacking.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

X-Frame-Options

Prevents your site from being embedded in iframes on other domains, protecting against clickjacking attacks.

X-Frame-Options: DENY

How to Add Security Headers

Security headers are typically configured at the web server or CDN level:

  • Nginx — Use the add_header directive in your server block
  • Apache — Use the Header set directive in .htaccess
  • Cloudflare — Use Transform Rules or Workers to add headers
  • Vercel/Next.js — Configure headers in next.config.js

Monitor Your Headers Automatically

Get alerts when security headers change or go missing. Monitor your entire infrastructure from one dashboard.

Start Monitoring Free

Related Tools

SSL Certificate CheckerIs Website Down?DNS LookupHTTP Status Codes