Secure Headers Checker

Type your domain and the checker fetches the response headers, then grades each one against current best practices: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Missing or misconfigured headers get flagged with the exact value you should set instead.

For each missing header, the tool generates the recommended directive based on conservative defaults — a CSP that allows self and inline-style only, an HSTS with one-year max-age and includeSubDomains, frame-options DENY. Adjust before deploying; some apps need broader CSP allowances for legitimate reasons.

Headers are one of the cheapest security wins available. Adding HSTS and a strict CSP costs minutes of configuration and prevents a meaningful chunk of common attacks (clickjacking, content sniffing, mixed-content downgrade).

What each header does: Strict-Transport-Security (HSTS) tells browsers to always use HTTPS for your domain, blocking downgrade attacks that strip TLS. Content-Security-Policy (CSP) controls which scripts, styles, and resources can load — your strongest defense against XSS. X-Frame-Options (and its successor frame-ancestors directive in CSP) blocks your site from being embedded in an iframe, preventing clickjacking. X-Content-Type-Options: nosniff stops browsers from MIME-sniffing your responses, which prevents some content-confusion attacks. Referrer-Policy controls what referrer info leaks to third-party requests. Permissions-Policy restricts which browser features (camera, microphone, geolocation) your page can use.

Worked example: scan a fresh production site and the report shows HSTS missing, CSP missing, X-Frame-Options missing, X-Content-Type-Options missing. Recommended config (paste into your server config or middleware): Strict-Transport-Security: max-age=31536000; includeSubDomains. Content-Security-Policy: default-src 'self'; img-src 'self' https:; script-src 'self'; style-src 'self' 'unsafe-inline'. X-Frame-Options: DENY. X-Content-Type-Options: nosniff. Referrer-Policy: strict-origin-when-cross-origin. Permissions-Policy: camera=(), microphone=(), geolocation=(). Deploy these and re-scan; the grade jumps from F to A in one config change.

Where headers go wrong: CSP is the hardest to get right and the most commonly misconfigured. Adding 'unsafe-inline' to script-src defeats most of CSP's XSS protection — the strict path is to use nonces or hashes for any inline scripts. HSTS with includeSubDomains commits every subdomain to HTTPS forever; deploy without it first, verify all subdomains have valid certs, then add it. Preload (which submits your domain to browsers' built-in HSTS list) is hard to undo — only enable after you're certain the entire domain tree is HTTPS-ready and will stay that way. CSP report-only mode (Content-Security-Policy-Report-Only) lets you test a policy without enforcing it; use this for at least a week before going live.