HTTP Security Headers Checker
HTTP security headers are directives sent by the server that instruct browsers how to handle content. Missing headers are one of the most common — and easiest to fix — web security vulnerabilities. Tools like securityheaders.com and ShipSafer check for their presence and correct configuration.
What it checks
- ✓Content-Security-Policy (CSP)
- ✓X-Frame-Options (clickjacking protection)
- ✓X-Content-Type-Options: nosniff
- ✓Referrer-Policy
- ✓Permissions-Policy
- ✓Strict-Transport-Security (HSTS)
- ✓Cross-Origin Resource Policy (CORP)
Why it matters
Missing security headers are responsible for a wide range of attacks: clickjacking, XSS, MIME-type sniffing, and information leakage. They take minutes to add and can prevent entire vulnerability classes.
Common issues found
No Content-Security-Policy headerMissing X-Frame-Options (clickjacking risk)No X-Content-Type-Options: nosniffOverly permissive CORS headersMissing Referrer-Policy
Enter a domain to check
Free, instant Security Headers check — no account required
Other free security checkers
SSL/TLSCheck SSL certificate validity, expiry date, cipher suites, and TLS version configuration.CORSDetect CORS misconfigurations that allow unauthorized cross-origin requests to your API.Cookie SecurityCheck session cookies for HttpOnly, Secure, SameSite flags and other security attributes.DNS SecurityCheck DMARC, SPF, DKIM, DNSSEC and other DNS security records for email spoofing and phishing protection.