Security Header Scanner
Enter your URL to check HSTS, CSP, CORS, cookie security and more — with a security score, risk level, and copy-paste fixes for every missing header.
What we check
9 critical security headers
Every scan inspects the same set of HTTP response headers that browsers use to defend against XSS, clickjacking, protocol downgrades, and data leaks.
Content Security Policy
Content-Security-PolicyControls which resources can load, mitigating XSS and injection.
HTTP Strict Transport Security
Strict-Transport-SecurityForces browsers to use HTTPS, preventing protocol downgrade attacks.
X-Frame-Options
X-Frame-OptionsPrevents your site from being embedded in frames (clickjacking).
X-Content-Type-Options
X-Content-Type-OptionsStops browsers from MIME-sniffing responses away from the declared type.
Cookie Security
Set-CookieCookies should use Secure, HttpOnly, and SameSite attributes.
CORS Headers
Access-Control-Allow-OriginCross-origin access should be explicit, not a wildcard with credentials.
Referrer Policy
Referrer-PolicyControls how much referrer information is sent with requests.
Permissions Policy
Permissions-PolicyRestricts access to powerful browser features (camera, geolocation…).
X-XSS-Protection
X-XSS-ProtectionLegacy XSS filter — best disabled in favor of a strong CSP.
Why it matters
A few headers stop a lot of attacks
Security headers are one of the cheapest, highest-impact hardening steps you can ship today.
Block common attacks
Headers like CSP, HSTS, and X-Frame-Options defend against XSS, protocol downgrades, and clickjacking before they reach your users.
Pass security reviews
Enterprise buyers and auditors check response headers first. A clean header profile clears procurement and pen-test checklists faster.
Earn user trust
Secure cookies and a strong policy protect sessions and signal to customers that their data is handled responsibly.
How it works
From URL to a hardened site in minutes
Enter your URL
Paste your website address and hit Scan. No sign-up, no downloads.
We inspect the headers
9 critical HTTP security headers are evaluated against modern best practices in seconds.
Get your report
See a security score, risk level, missing headers, and a per-header breakdown.
Apply the fixes
Copy the recommended header values into your server or CDN — or let our engineers do it.
FAQ
Frequently asked questions
What are HTTP security headers?
Security headers are HTTP response headers that tell the browser how to behave more safely — for example, forcing HTTPS (HSTS), restricting which scripts can run (Content-Security-Policy), or preventing your site from being embedded in a frame (X-Frame-Options).
Which headers does this scanner check?
It checks Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, CORS configuration, and cookie security attributes (Secure, HttpOnly, SameSite).
Why do missing security headers matter?
Missing headers leave known gaps: without CSP a single injected script can run freely, without HSTS a network attacker can downgrade to HTTP, and without secure cookie flags session tokens can leak. Each header closes a specific, well-documented attack path.
How do I add security headers to my site?
You set them at your web server, CDN, or edge (e.g. Nginx, Cloudflare, or an S3/CloudFront response-headers policy). The report gives you copy-paste values; start with HSTS and a Content-Security-Policy, then tighten from there.
Is the scan free, and is my data stored?
The scanner is free and requires no sign-up. Results are shown for your session only and are not saved to any database.
Want us to harden your headers?
Our engineers implement and validate security headers, CSP policies, and full-stack hardening — closing the gaps without breaking your app.