Free tool
Check a site's security headers
Enter a website and we'll fetch its HTTP response headers, grade the security ones, and explain in plain language what each does and what's missing.
Frequently asked questions
What are HTTP security headers?
Response headers like HSTS and Content-Security-Policy that tell browsers to enforce safer behaviour - blocking downgrade attacks, cross-site scripting, and clickjacking.
Which security headers should a website have?
At minimum HSTS, Content-Security-Policy, X-Content-Type-Options, a framing protection (X-Frame-Options or CSP frame-ancestors), Referrer-Policy, and Permissions-Policy.