All Tools

Security Headers Analyzer

Check HTTP security headers for any domain.

HTTP security headers are instructions a web server sends with every response to tell browsers how to behave. They form a critical defense layer against common attacks without requiring changes to your application code.

Key headers and what they prevent:

  • Content-Security-Policy (CSP) — Prevents cross-site scripting (XSS) by restricting which scripts, styles, and resources the browser may load.
  • Strict-Transport-Security (HSTS) — Forces browsers to use HTTPS only, preventing man-in-the-middle (MITM) and protocol downgrade attacks.
  • X-Frame-Options — Prevents clickjacking by controlling whether your site can be embedded in iframes.
  • X-Content-Type-Options — Prevents MIME-type sniffing, stopping browsers from executing files as a different type than declared.
  • X-XSS-Protection — Legacy browser filter for reflected XSS (deprecated in modern browsers but still useful).
  • Referrer-Policy — Controls how much referrer data is sent to other sites, protecting privacy and sensitive URLs.
  • Permissions-Policy — Restricts which browser features (camera, microphone, geolocation) the page can use.

This tool sends a request to the target domain and evaluates each header, scoring your configuration from A (best) to F (critical gaps).

cloudflare.comgithub.comgoogle.com