Security Headers Checker
Instantly audit any website – no account required.
UpMonitor's Security Headers Analyzer audits your website's security header configuration including HSTS, Content Security Policy (CSP), X-Frame-Options, and X-Content-Type-Options. It detects missing or misconfigured headers that could leave your site vulnerable. Results are delivered in under 3 seconds. Free to use — no signup or login required.
Instantly audit your website's HTTP security headers — protect your visitors from common web attacks.
What are HTTP Security Headers?
HTTP security headers are a set of HTTP response headers that instruct browsers on how to handle your site's content. They are your first line of defence against a wide range of client-side attacks including Cross-Site Scripting (XSS), Clickjacking, MIME sniffing, and data injection.
Security headers cost nothing to implement, take minutes to configure, and can prevent some of the most common web vulnerabilities. Yet the majority of websites are missing one or more critical headers.
Headers We Check
🛡️ Strict-Transport-Security (HSTS)
What it does: Forces browsers to always use HTTPS for your domain, even if the user types http://. Prevents protocol downgrade attacks and cookie hijacking on public Wi-Fi.
Recommended value:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Missing impact: Users accessing via HTTP are vulnerable to network-level interception.
🛡️ Content-Security-Policy (CSP)
What it does: Defines an allowlist of trusted sources for scripts, styles, images, fonts, and other resources. Prevents Cross-Site Scripting (XSS) attacks by blocking inline scripts and unauthorised external resources.
Example value:
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self'; img-src 'self' data:
Missing impact: XSS vulnerabilities can execute attacker-controlled scripts in your users' browsers.
🛡️ X-Frame-Options
What it does: Controls whether your site can be embedded in an <iframe>. Prevents Clickjacking attacks where an attacker overlays your site in a transparent iframe on a malicious page.
Recommended value:
X-Frame-Options: DENY
Or use the modern CSP equivalent: Content-Security-Policy: frame-ancestors 'none'
🛡️ X-Content-Type-Options
What it does: Prevents browsers from MIME-sniffing the content type of a response. Stops browsers from interpreting a .png file as an executable script, for example.
Recommended value:
X-Content-Type-Options: nosniff
🛡️ Referrer-Policy
What it does: Controls how much referrer information is included with requests. Prevents leaking sensitive URL information (e.g., user session tokens in query strings) to third-party sites.
Recommended value:
Referrer-Policy: strict-origin-when-cross-origin
🛡️ Permissions-Policy (formerly Feature-Policy)
What it does: Restricts which browser features and APIs your site (and any embedded iframes) can access. Prevents malicious embedded content from accessing the camera, microphone, or geolocation.
Example value:
Permissions-Policy: camera=(), microphone=(), geolocation=()
🛡️ Cross-Origin-Opener-Policy (COOP)
What it does: Isolates your browsing context from cross-origin pop-ups, preventing cross-origin attacks and enabling stronger browser protections (like SharedArrayBuffer).
Recommended value:
Cross-Origin-Opener-Policy: same-origin
Security Header Score
Our checker grades your site based on which headers are present and correctly configured:
| Grade | Headers Present |
|---|---|
| A | All critical headers present and well-configured |
| B | Most headers present, minor configuration issues |
| C | Some headers missing |
| D | Critical headers (CSP, HSTS) missing |
| F | No security headers found |
How to Add Security Headers
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Firebase Hosting (`firebase.json`)
{
"hosting": {
"headers": [
{
"source": "**",
"headers": [
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{ "key": "X-Frame-Options", "value": "DENY" },
{ "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" }
]
}
]
}
}
Frequently Asked Questions
What is the most important security header?
While all are important, Content-Security-Policy (CSP) is widely considered the most critical as it can block entire classes of Cross-Site Scripting (XSS) and data injection attacks.
Does my site need security headers if I don't have sensitive data?
Yes. Security headers protect your visitors, not just your data. For example, they prevent your site from being used in Clickjacking attacks or from loading malicious scripts that could harm your users' devices.
What is HSTS preloading?
HSTS Preloading is a list built into major browsers that contains websites that should only ever be accessed via HTTPS. This provides the highest level of security by ensuring the very first connection is encrypted.
Why is "X-Powered-By" considered a security risk?
The X-Powered-By header reveals which technology stack your server uses (e.g., Express, PHP). This information helps attackers target known vulnerabilities specific to those versions. It is a best practice to hide it.
Monitor Security Header Changes
Security headers can break or disappear after a deployment. With UpMonitor, you get:
- ✅ Continuous security header audits on every check cycle
- ✅ Instant alerts when a critical header is removed or misconfigured
- ✅ Historical trend data to track security posture over time