Free tool · no signup
Security Headers Checker
Instantly test any website's HTTP security headers — CSP, HSTS, X-Frame-Options and more — and get the exact fix for each one that's missing.
What are security headers?
Security headers are HTTP response headers your web server sends with every page. They tell the browser to behave more defensively — block the page from being embedded in a malicious iframe, force HTTPS on every request, restrict which scripts can run, and stop the browser from guessing file types. They're one of the cheapest, highest-impact security wins available: usually a few lines of server config, no code changes.
The six headers this tool checks
| Header | What it does | Risk if missing |
|---|---|---|
Content-Security-Policy | Restricts which scripts, styles and resources can load. | Cross-site scripting (XSS) — injected scripts run freely. |
Strict-Transport-Security | Forces HTTPS for every future request (HSTS). | A first request can be downgraded to HTTP and intercepted. |
X-Frame-Options | Stops your pages being embedded in other sites' frames. | Clickjacking — your UI is overlaid on an attacker's page. |
X-Content-Type-Options | Tells the browser not to guess (sniff) content types. | Files meant as data can be executed as scripts. |
Referrer-Policy | Controls how much URL info leaks to other sites. | Full URLs (with tokens/IDs) leak to third parties. |
Permissions-Policy | Restricts access to camera, mic, geolocation, etc. | Embedded content can request sensitive device APIs. |
How to fix missing headers
You set the header wherever you terminate HTTP — your server or host. A few common examples for Content-Security-Policy:
| Stack | Where |
|---|---|
| nginx | add_header Content-Security-Policy "default-src 'self'" always; |
| Caddy | header Content-Security-Policy "default-src 'self'" |
| Vercel | headers entry in vercel.json |
| Netlify | a line in the _headers file |
| Cloudflare | Transform Rule → Modify Response Header |
Hardn writes the exact snippet for your stack and gives you a command to verify it worked.
Headers are just one of six checks.
A full Hardn scan also covers TLS, SPF/DKIM/DMARC email spoofing, and publicly exposed files like .env — with a plain-English AI report and copy-paste fixes for your stack.
Frequently asked questions
What are security headers?
HTTP response headers your server sends to the browser that make it behave more safely — blocking framing, forcing HTTPS, restricting scripts. A cheap, high-impact defense against XSS and clickjacking.
Which security headers should every site have?
At minimum: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. CSP and HSTS matter most.
Is this checker free?
Yes — it reads any site's public response headers and grades them instantly, no signup. For TLS, email auth and exposed-file checks too, run a free Hardn scan.
How do I fix missing security headers?
Add the header at your web server or host (nginx add_header, Caddy header, vercel.json, Netlify _headers, or a Cloudflare Transform Rule). Hardn gives you the exact snippet for your stack.