Skip to content

Security Headers Checker

Check any website for critical HTTP security headers including CSP, HSTS, X-Frame-Options, and more. Get a grade from A+ to F with fix recommendations.

FreeNo SignupNo Server UploadsZero Tracking

How to Use Security Headers Checker

  1. 1

    Enter the URL

    Type or paste the URL you want to check. The tool will try to fetch it directly.

  2. 2

    Use curl fallback

    If CORS blocks the request, copy the generated curl command, run it in your terminal, and paste the output.

  3. 3

    Review results

    See your security grade, which headers are present or missing, and get code snippets to fix issues.

Frequently Asked Questions

HTTP security headers are response headers that tell the browser how to behave when handling your site's content. They help prevent attacks like XSS, clickjacking, and data injection.

Browsers enforce CORS (Cross-Origin Resource Sharing) restrictions that prevent JavaScript from reading response headers from other origins. The curl fallback works around this limitation.

CSP is the most important security header. It tells the browser which resources (scripts, styles, images, etc.) are allowed to load, preventing XSS attacks by blocking unauthorized code execution.

The grade reflects how many security headers are present and their severity. A+ means all critical headers are set. F means most are missing. Critical and high-severity headers weigh more.

No. The tool runs entirely in your browser. When using the direct check, the fetch request goes from your browser to the target URL. No data passes through our servers.