Internet Toolset logo Internet Toolset 629+ Tools

Security Headers Checker

Analyze HTTP security headers for any website.

https://

Understanding HTTP Security Headers

HTTP security headers are response headers that instruct browsers how to behave when handling your website's content. Properly configured security headers can protect your users from a wide range of attacks including cross-site scripting (XSS), clickjacking, MIME sniffing attacks, and man-in-the-middle attacks.

Essential Security Headers Explained

Strict-Transport-Security (HSTS)

Purpose: Forces browsers to only connect via HTTPS, preventing protocol downgrade attacks and cookie hijacking.

Recommended Value:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • max-age: How long (in seconds) to remember this policy (31536000 = 1 year)
  • includeSubDomains: Apply to all subdomains
  • preload: Allow inclusion in browser HSTS preload lists
Warning: Once HSTS is enabled, your site must support HTTPS continuously. Misconfiguration can make your site inaccessible.
Content-Security-Policy (CSP)

Purpose: Prevents XSS attacks by specifying which content sources are allowed to load on your page.

Example Value:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'

Key Directives:

  • default-src: Fallback for other directives
  • script-src: Controls JavaScript sources
  • style-src: Controls CSS sources
  • img-src: Controls image sources
  • connect-src: Controls AJAX, WebSocket, etc.
  • frame-ancestors: Controls who can embed your page (replaces X-Frame-Options)

Use our CSP Generator to create your policy.

X-Frame-Options

Purpose: Prevents clickjacking attacks by controlling whether your page can be embedded in iframes.

Possible Values:

  • DENY: Page cannot be displayed in a frame
  • SAMEORIGIN: Page can only be framed by same origin
  • ALLOW-FROM uri: Page can only be framed by specified origin (deprecated)
X-Frame-Options: SAMEORIGIN

Note: CSP's frame-ancestors directive is more flexible and is gradually replacing X-Frame-Options.

X-Content-Type-Options

Purpose: Prevents MIME type sniffing, where browsers try to guess content types. This can lead to security vulnerabilities when malicious content is interpreted as executable.

Recommended Value:

X-Content-Type-Options: nosniff

This header has only one valid value and should always be set.

X-XSS-Protection

Purpose: Enables the browser's built-in XSS filter. However, this header is largely deprecated as modern browsers have removed their XSS auditors.

Recommended Value:

X-XSS-Protection: 0

Modern recommendation: Disable this header and rely on CSP instead. The XSS auditor could itself be exploited in some cases.

Referrer-Policy

Purpose: Controls how much referrer information is sent when navigating from your site. Protects user privacy and prevents leaking sensitive URLs.

Common Values:

  • no-referrer: Never send referrer
  • same-origin: Only send for same-origin requests
  • strict-origin-when-cross-origin: Send full URL for same-origin, only origin for cross-origin HTTPS→HTTPS
  • no-referrer-when-downgrade: Default; send full referrer unless HTTPS→HTTP
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy (Feature-Policy)

Purpose: Controls which browser features and APIs can be used on your site, including geolocation, camera, microphone, and more.

Example Value:

Permissions-Policy: geolocation=(), camera=(), microphone=()

This example disables geolocation, camera, and microphone access entirely.

Why Security Headers Matter

The Cost of Insecurity

  • XSS Attacks: Attackers can steal session cookies, redirect users, or inject malware
  • Clickjacking: Users can be tricked into clicking hidden elements
  • Data Theft: Man-in-the-middle attacks can intercept unencrypted data
  • SEO Impact: Google considers HTTPS a ranking factor
  • User Trust: Browser warnings deter visitors from insecure sites

Security Headers and Compliance

Many security standards and regulations require proper security headers:

  • PCI DSS: Payment card industry standards require HTTPS and secure configurations
  • HIPAA: Healthcare data protection benefits from defense-in-depth measures
  • GDPR: Protecting user data includes technical measures like CSP
  • SOC 2: Security audits evaluate header configurations

Implementing Security Headers

Apache (.htaccess)

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Express.js (Node)

const helmet = require('helmet');
app.use(helmet());
Header Checklist
Grading Scale
  • A - All essential headers present
  • B - Most headers configured
  • C - Some headers missing
  • D/F - Critical headers missing
Related Tools
← Security Audit Checklist More Security Security Posture Workflow →
API Key Rotation Planner Security
Csp Generator Security
Csp Report Triage Mapper Security
Csp vs Sri vs Security Headers Security
Csrf Token Policy Checker Security
Hash Generator Security
Browse Tools

Tool Navigation

629+ tools across 43 categories