Free Security Headers Checker

Analyze your website's HTTP security headers

Enter any URL to scan its HTTP response headers for security best practices. This tool checks for critical headers like Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, and more — then provides specific recommendations to improve your security posture.

Trusted by teams at

Ramp
Pilot
Vercel
Stripe
Better Auth
SST
OpenCode

How it works

How Security Headers Checker works

01

Enter any URL

Type or paste any website URL. We automatically add HTTPS if needed and follow redirects to reach the final destination.

02

Scan HTTP response headers

We send a request to the URL and extract all security-relevant HTTP headers including CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CORS headers.

03

Get actionable recommendations

Each header is graded on its configuration quality, missing headers are flagged, and you get specific code snippets you can add to your server configuration.

Features

What Security Headers Checker checks

Check Content-Security-Policy configuration

Verifies whether your CSP header is present and analyzes its directives. A well-configured CSP is the most effective defense against cross-site scripting (XSS) attacks.

Verify Strict-Transport-Security (HSTS)

Checks for HSTS and its max-age, includeSubDomains, and preload directives. Without HSTS, attackers on the same network can intercept the initial HTTP request before HTTPS kicks in.

Detect clickjacking and MIME sniffing risks

Scans for X-Frame-Options and X-Content-Type-Options headers that prevent your pages from being embedded in malicious iframes and stop browsers from MIME-sniffing responses.

Identify server information leakage

Flags Server and X-Powered-By headers that reveal your technology stack to attackers. Knowing your exact server version makes it easier to find and exploit known CVEs.

Analyze cross-origin policies

Checks COOP, CORP, and COEP headers that control how your site interacts with cross-origin resources — critical for preventing Spectre-class side-channel attacks.

Use cases

Who should use the free Security Headers Checker

Web Developers

Verify your site's security headers are correctly configured before deploying to production. Catch missing CSP, HSTS, and other headers that browsers need to protect your users.

DevOps & SREs

Audit header configurations across multiple environments and services. Ensure consistent security policies after infrastructure changes, migrations, or CDN updates.

Security Teams

Run quick assessments of web properties during security reviews. Identify information leakage from Server headers and missing protections that need remediation.

Compliance Officers

Document your web application's security posture for SOC 2, ISO 27001, and PCI DSS audits. Use generated reports as evidence of security header implementation.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free Security Headers Checker.

Go beyond Security Headers Checker

This free Security Headers Checker checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible