HTTP Header Check Online

Which HTTP headers actually matter for security?

Every web server response contains headers — metadata the browser evaluates before rendering content. Some of them directly determine whether your site is protected against typical attack classes like clickjacking, cross-site scripting (XSS) or mixed-content injection. The six most important headers and their effect:

• Content-Security-Policy (CSP) — defines from which domains scripts, styles and images may be loaded. Protection against XSS and code injection.
• Strict-Transport-Security (HSTS) — forces browsers onto HTTPS for a defined period. Prevents SSL-stripping attacks.
• X-Frame-Options — prevents your page from being loaded inside an iframe on foreign domains. Protection against clickjacking.
• X-Content-Type-Options: nosniff — prevents MIME-sniffing by the browser. Stops a JS file disguised as an image from suddenly being executed.
• Referrer-Policy — controls what referrer information is sent when users click external links. Privacy-relevant.
• Permissions-Policy — disables browser APIs (camera, microphone, geolocation) for the page when they are not needed.

How to read our score

We award a score from A to F, based on the number and quality of security headers set. An A means: all six headers are cleanly configured. A D or F usually means: HSTS and/or CSP are missing — those are the two strongest-impact headers. Improving from D to B typically takes two lines in your server config; reaching an A often requires 30 minutes of CSP-directive fine-tuning.

Typical use cases

Webmasters check their own site before and after each deploy. Development teams use the tool during code review for pull requests that touch the server config. IT-responsible staff scan critical services regularly — many compliance frameworks (PCI-DSS, ISO 27001 BCM) expect documented security headers. For deeper background see our article Ports and Firewalls and the glossary entries on HSTS and TLS.