Check CSP, HSTS, X-Frame-Options & more for any domain — free, no login.
100% free · No login · Checks live HTTP response headers
This tool fetches the live HTTP response from a domain (HTTPS first, falling back to HTTP if unreachable) and checks for six commonly recommended security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Each header is weighted by its relative security impact, and the result is a letter grade from A+ to F. This is a lightweight heuristic check — not a substitute for a full penetration test or dedicated scanner.
Bookmark or share checks with /tools/headers.php?domain=example.com.
HTTP security headers are response headers a website sends that tell the browser how to behave — reducing risks like clickjacking, MIME-sniffing attacks, and cross-site scripting (XSS). Examples include Content-Security-Policy and Strict-Transport-Security.
A or A+ means most of the 6 checked headers are present and configured with safe values. C or below usually means several important headers are missing and the site could harden its defenses.
CSP tells the browser which sources of scripts, styles and other resources are allowed to load, which significantly reduces the risk of cross-site scripting (XSS) attacks if configured correctly.
Not necessarily — these headers are one layer of defense-in-depth, not the whole picture. A missing header is a hardening opportunity, not proof of a vulnerability. Always verify findings with a dedicated security scanner too.