Fetching headers…
0 / 7 headers present
Poor
Security Headers Analyzer
Enter any domain to check which HTTP security headers its server is sending. The analysis runs entirely in your browser via a public CORS proxy — no data is stored and no sign-up is required.
What this tool does
This tool fetches the HTTP response headers of any publicly accessible website and checks for the presence of seven key security headers. Each header is shown with its current value (or “Not set” if absent), a Present / Missing badge, and a one-line description of what it does. A summary score at the top gives you an at-a-glance view of the site’s header coverage.
How to use it
- Enter a domain name (e.g.
example.com) — no need to includehttps://. - Click Analyze and wait for the results to load.
- Green Present badges mean the header is configured. Red Missing badges mean it is absent.
- The score bar at the top shows how many of the 7 headers are present — green for 6–7, orange for 3–5, red for fewer than 3.
Headers checked
- Strict-Transport-Security — Forces browsers to use HTTPS for the domain. Missing this header means users can be downgraded to HTTP.
- Content-Security-Policy — The most powerful header: restricts which resources the browser is allowed to load. Prevents XSS and data injection attacks.
- X-Frame-Options — Blocks the page from being loaded inside an
<iframe>, preventing clickjacking attacks. - X-Content-Type-Options — Tells browsers not to MIME-sniff the content type, which can prevent certain injection attacks.
- Referrer-Policy — Controls how much of the page URL is included in the
Refererheader when a user clicks a link. - Permissions-Policy — Restricts which browser features (camera, microphone, geolocation, etc.) the page and its embedded iframes can access.
- X-XSS-Protection — A legacy Internet Explorer header. Modern browsers ignore it, but it’s still checked because its presence (or misconfiguration) is a useful signal.
Frequently Asked Questions
Why does the tool show fewer headers than I expect?
Some headers are only sent on specific paths or content types. For example, HSTS is commonly
set only on the root HTTPS response. The tool fetches the root URL (https://yourdomain.com/),
so headers scoped to subpaths won’t appear here. Additionally, some proxies and CDNs strip or
rewrite certain headers before they reach the client.
The tool says the fetch failed — why?
A small number of sites block requests from CORS proxies or have aggressive rate-limiting that
rejects automated requests. Sites that require authentication before serving any content also
won’t return meaningful headers. If you need to inspect those headers, use
curl -I https://yourdomain.com from a terminal instead.
Is a score of 7/7 required?
Not necessarily. The right headers depend on the site. A static documentation site may not need
a strict Content-Security-Policy the way a banking app does.
X-XSS-Protection is largely irrelevant for modern browsers. The score is a starting
point for a conversation, not a pass/fail grade. Focus first on HSTS, CSP, and
X-Frame-Options — those three cover the highest-impact attack vectors.
Want the full explanation? Read the guide: HTTP Security Headers Every Sysadmin Should Know →