HTTP Security Headers Checker
Check if a website's HTTP response headers follow security best practices. Tests Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and more.
Checking…
What are HTTP security headers?
HTTP security headers are response headers that web servers send to browsers to enable security features. They protect against common attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks.
Which security headers are most important?
Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS) are the most critical. CSP prevents XSS attacks by controlling which scripts can execute. HSTS forces HTTPS connections, preventing man-in-the-middle attacks.
Frequently Asked Questions
HTTP security headers are response headers that web servers send to browsers to enable security features. They protect against common attacks like XSS (Content-Security-Policy), clickjacking (X-Frame-Options), and protocol downgrade attacks (Strict-Transport-Security).
Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS) are the most critical. CSP prevents XSS attacks by controlling which scripts can execute. HSTS forces HTTPS connections, preventing man-in-the-middle attacks. X-Content-Type-Options and X-Frame-Options are also important.
Security headers are set by your web server or CDN. In Nginx, use the 'add_header' directive. In Apache, use 'Header set'. Most CDNs (Cloudflare, AWS CloudFront) let you set headers in their dashboard. Frameworks like Express.js have middleware like helmet.js.