Security Headers Scanner
Analyze your website's HTTP security headers and get recommendations
What Are Security Headers?
HTTP security headers are directives sent by web servers to browsers that instruct how to behave when handling your website's content. They are a crucial part of website security, protecting against attacks like:
Cross-Site Scripting (XSS)
Malicious scripts injected into trusted websites
Clickjacking
Tricking users into clicking hidden elements
Protocol Downgrade
Forcing insecure HTTP connections
MIME Sniffing
Browsers misinterpreting file types
Headers We Check
| Header | Purpose | Weight |
|---|---|---|
HSTS |
Forces HTTPS connections, preventing downgrade attacks. | 15 pts |
CSP |
Prevents XSS, clickjacking, and other code injection attacks. | 25 pts |
X-Frame-Options |
Prevents clickjacking by controlling iframe embedding. | 15 pts |
X-Content-Type-Options |
Prevents MIME type sniffing attacks. | 10 pts |
Referrer-Policy |
Controls how much referrer information is sent with requests. | 10 pts |
Permissions-Policy |
Controls which browser features can be used. | 10 pts |
X-XSS-Protection |
Legacy XSS filter (deprecated in modern browsers, CSP preferred). | 5 pts |
Frequently Asked Questions
HTTP security headers are directives sent by web servers to browsers that help protect
websites and users from various attacks like XSS, clickjacking, and MIME sniffing.
Important headers include Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options.
A grade of A or A+ indicates excellent security header configuration. Grade B is acceptable
but has room for improvement. Grades C, D, and F indicate missing critical security headers
that should be addressed.
Security headers are typically added through your web server configuration (Apache, Nginx)
or application code. For example, in Nginx you can add headers using the 'add_header' directive,
and in Apache using the 'Header set' directive in .htaccess.