Security Headers Scanner

Scan any URL for HTTP security headers and get a grade. Check CSP, HSTS, X-Frame-Options, and more.

Frequently Asked Questions

Common questions about the Security Headers Scanner tool.

Headers the server sends alongside the response that tell the browser to enforce additional security restrictions — blocking clickjacking, XSS, mixed content, and insecure content loading.

Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. HSTS and CSP are the two that matter most.

Content-Security-Policy restricts which origins the browser is allowed to load scripts, styles, images, etc. from. It's the #1 XSS defence but hard to deploy on legacy apps because inline scripts and event handlers break. Use `report-only` mode first.

Yes for production domains you control. It guarantees browsers never talk to your domain over HTTP. But it's hard to reverse — you commit to HTTPS-only for all subdomains for years. Only preload after you've verified every subdomain works on HTTPS.

More Free Tools

SSL Certificate Checker

HTTP Response Checker

Blacklist / DNSBL Check

Security Headers Scanner

Results

Frequently Asked Questions

What are HTTP security headers?

Which headers are most important?

What is CSP and why is it hard to deploy?

Is HSTS preload a good idea?

More Free Tools