Browse Domains 🏷 Wholesale Deals 🛠 Free Domain Tools .AI Domains .IO Domains .COM Domains ✍ Blog How It Works About Us Contact

Security Headers Checker

Check CSP, HSTS, X-Frame-Options & more for any domain — free, no login.

Security Headers
CSP, HSTS, X-Frame-Options & more — with a letter grade

100% free · No login · Checks live HTTP response headers

Which Headers Does This Check?

This tool fetches the live HTTP response from a domain (HTTPS first, falling back to HTTP if unreachable) and checks for six commonly recommended security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

Each header is weighted by its relative security impact, and the result is a letter grade from A+ to F. This is a lightweight heuristic check — not a substitute for a full penetration test or dedicated scanner.

Bookmark or share checks with /tools/headers.php?domain=example.com.

Frequently Asked Questions

What are HTTP security headers?

HTTP security headers are response headers a website sends that tell the browser how to behave — reducing risks like clickjacking, MIME-sniffing attacks, and cross-site scripting (XSS). Examples include Content-Security-Policy and Strict-Transport-Security.

What is a good security headers grade?

A or A+ means most of the 6 checked headers are present and configured with safe values. C or below usually means several important headers are missing and the site could harden its defenses.

Why is Content-Security-Policy (CSP) important?

CSP tells the browser which sources of scripts, styles and other resources are allowed to load, which significantly reduces the risk of cross-site scripting (XSS) attacks if configured correctly.

Does missing a header mean the site is insecure?

Not necessarily — these headers are one layer of defense-in-depth, not the whole picture. A missing header is a hardening opportunity, not proof of a vulnerability. Always verify findings with a dedicated security scanner too.