Free tool
Check a site's security headers
Enter a website and we'll fetch its HTTP response headers, grade the security ones, and explain in plain language what each does and what's missing.
How this works
- We make a single request to the address from our server and read only the response headers.
- We don't store the result, and nothing is shared unless you copy the link.
Frequently asked questions
What are HTTP security headers?
Response headers like HSTS and Content-Security-Policy that tell browsers to enforce safer behaviour - blocking downgrade attacks, cross-site scripting, and clickjacking.
Which security headers should a website have?
At minimum HSTS, Content-Security-Policy, X-Content-Type-Options, a framing protection (X-Frame-Options or CSP frame-ancestors), Referrer-Policy, and Permissions-Policy.