What are HTTP security headers?

HTTP security headers are response headers that browsers read to understand how to handle your page's content. They don't change how your site looks or functions for legitimate users — they restrict what browsers are allowed to do, making it harder for attackers to exploit your users through injected scripts, clickjacking, MIME confusion, or protocol downgrade attacks.

What is Content-Security-Policy (CSP)?

CSP is a whitelist telling the browser which origins are allowed to load scripts, styles, images, fonts, and frames. It's the most effective mitigation against cross-site scripting (XSS), but it requires you to enumerate every external origin your page loads — analytics, font CDN, chat widgets, and so on. Getting it wrong silently breaks things; getting it right requires careful enumeration and testing.

HSTS (HTTP Strict Transport Security) tells browsers to refuse all plain-HTTP connections to your domain for a set period — typically 1 year. Once a browser has seen your HSTS header, it will automatically upgrade HTTP to HTTPS without a round-trip. With includeSubDomains and preload, you can have your domain added to the browser's built-in HSTS list, protecting even first-time visitors.

What does X-Content-Type-Options: nosniff do?

X-Content-Type-Options: nosniff tells the browser to trust the declared Content-Type and stop 'MIME sniffing' — guessing a file's type from its contents. Without it, a browser might execute a file you served as plain text or an image as if it were JavaScript, enabling certain XSS and drive-by attacks. It's a single header with effectively zero downside, so this checker flags any site missing it. Adding it is one line: X-Content-Type-Options: nosniff.

What should I fix first?

Start with HSTS (high impact, low risk — just add the header and confirm your site fully loads over HTTPS), then X-Content-Type-Options: nosniff (one line, zero risk), then X-Frame-Options: SAMEORIGIN (prevents clickjacking). Save CSP for last — it's the only one that can actively break your site if misconfigured, and it requires the most testing.

Will adding security headers break my site?

HSTS, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are extremely low risk and won't break normal site functionality. X-Frame-Options can break legitimate embeds (like payment widgets in iframes) if set to DENY. CSP is the one that requires careful testing — any external origin not in your policy will be silently blocked, which can break analytics, fonts, chat widgets, and embedded media.

How do I check the security headers on my website?

Type your site's URL into the box above (with or without https://) and click "Grade headers". This free security headers check fetches your site through an Edos-hosted backend — because browsers can't cross-origin-read response headers — follows the HTTP-to-HTTPS redirect chain, and grades each HTTP security header (Content-Security-Policy, Strict-Transport-Security / HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) plus cookie flags. You get a letter grade and per-header detail with no signup.

All free tools HTTP security headers

FREE TOOL

HTTP security headers.

Run a free security headers check on any URL and grade the HTTP security headers that actually matter for browser security: Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy, plus cookie flags and the HTTP-to-HTTPS redirect chain — with a letter grade and per-header detail.

No signup · runs in your browser · also try our website security scan, domain security check and DNS lookup.

How to check your site's security headers in 3 steps

1
Enter your URL in the box above (e.g. https://example.com) and click Grade headers.
2
Read the grade and per-header detail. Each HTTP security header — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — is marked good, weak or missing.
3
Fix the gaps. Most are nginx/Apache one-liners. Start with HSTS and nosniff (low risk), and test CSP carefully before enforcing it.

Key HTTP security headers

The headers this checker grades, what each one protects against, and a sensible recommended value to start from. Tune the values to your own stack before deploying.

Header	What it protects against	Recommended value
Strict-Transport-Security (HSTS)	Protocol downgrade & SSL-stripping man-in-the-middle attacks	max-age=31536000; includeSubDomains; preload
Content-Security-Policy (CSP)	Cross-site scripting (XSS) and untrusted resource injection	default-src 'self'; object-src 'none'; frame-ancestors 'none'
X-Frame-Options	Clickjacking via your site being framed by attackers	SAMEORIGIN (or CSP frame-ancestors 'none')
X-Content-Type-Options	MIME-sniffing — files executing as the wrong content type	nosniff
Referrer-Policy	URL / query-string leakage to third-party sites	strict-origin-when-cross-origin
Permissions-Policy	Unwanted use of camera, mic, geolocation, USB, payment by iframes	camera=(), microphone=(), geolocation=()

What we grade

Content-Security-Policy (CSP) — tells browsers what scripts, styles, fonts, images, frames and fetches your page is allowed to load. The single most effective mitigation against XSS. Hard to retrofit, easy to add to a new site.

Strict-Transport-Security (HSTS) — tells browsers to refuse plain HTTP for this domain for the next N seconds. Defends against active downgrade attacks. Should be at least 6 months; 1 year is standard; with includeSubDomains; preload you can submit to the HSTS preload list.

X-Frame-Options / frame-ancestors — prevents your site from being framed by attackers (clickjacking). Modern sites should use CSP frame-ancestors; legacy X-Frame-Options: DENY still works.

X-Content-Type-Options — must be nosniff. Stops browsers from MIME-sniffing responses, which can let attacker-controlled files execute as scripts.

Referrer-Policy — controls how much of the URL is leaked when users click links to other sites. strict-origin-when-cross-origin is the modern default.

Permissions-Policy — opts your site out of features you don't use (camera, microphone, geolocation, USB, payment) so that third-party iframes can't quietly use them.

Cookie flags — every cookie set should have Secure, HttpOnly (where appropriate), and SameSite=Lax or Strict.

HTTPS redirect chain — plain-HTTP requests should 301-redirect to HTTPS. We follow up to 5 redirects and confirm you end up on HTTPS.

Common security-header gaps we fix

A security headers check almost always surfaces the same handful of gaps. The ones we see most:

No HSTS / weak max-age

Without Strict-Transport-Security — or with a max-age under 6 months — the first request to a subdomain can be intercepted on plain HTTP and downgraded. Aim for max-age=31536000; includeSubDomains.

Missing or unsafe CSP

No Content-Security-Policy — or one with unsafe-inline / * — leaves your users exposed to XSS. A strict CSP is the single biggest mitigation, but needs careful enumeration of every origin.

Clickjacking risk

No X-Frame-Options and no CSP frame-ancestors means anyone can embed your page in a hidden iframe and trick users into clicking. Set SAMEORIGIN or frame-ancestors 'none'.

MIME-sniffing exposure

Missing X-Content-Type-Options: nosniff lets browsers guess a file's type from its contents — an attacker-controlled upload can run as JavaScript. One line, zero downside.

Want your whole site hardened, not just the headers?

Edos Solutions hardens Australian websites end to end — security headers, a strict CSP that doesn't break your analytics or fonts, TLS configuration, dependency and CMS patching, and ongoing monitoring.

Explore website security Talk to us

Found gaps?

Most security headers are nginx/Apache one-liners. CSP is the one that genuinely takes effort because you have to enumerate every third-party origin your site loads. The rest are usually 30 minutes of config work plus a deploy.

If you'd like the work done by people who run security headers as part of their day job — including writing a strict CSP that doesn't break your analytics, your A/B tests, or your fonts — talk to us.

Talk to an engineer

Privacy

Unlike our DNS-based tools, this tool runs the fetch through a small Edos-hosted PHP backend (browsers can't cross-origin-fetch and read response headers from sites that don't opt in). The backend doesn't log the URLs you check. Your IP is in standard nginx access logs retained for 14 days for security purposes only — same as any other page on this site.

References

MDN: HTTP headers, the full reference.
OWASP Secure Headers Project, with recommended values.

Frequently asked questions

What are HTTP security headers?: HTTP security headers are response headers that browsers read to understand how to handle your page's content. They don't change how your site looks or functions for legitimate users — they restrict what browsers are allowed to do, making it harder for attackers to exploit your users through injected scripts, clickjacking, MIME confusion, or protocol downgrade attacks.
What is Content-Security-Policy (CSP)?: CSP is a whitelist telling the browser which origins are allowed to load scripts, styles, images, fonts, and frames. It's the most effective mitigation against cross-site scripting (XSS), but it requires you to enumerate every external origin your page loads — analytics, font CDN, chat widgets, and so on. Getting it wrong silently breaks things; getting it right requires careful enumeration and testing.
What is HSTS?: HSTS (HTTP Strict Transport Security) tells browsers to refuse all plain-HTTP connections to your domain for a set period — typically 1 year. Once a browser has seen your HSTS header, it will automatically upgrade HTTP to HTTPS without a round-trip. With includeSubDomains and preload, you can have your domain added to the browser's built-in HSTS list, protecting even first-time visitors.
What does X-Content-Type-Options: nosniff do?: X-Content-Type-Options: nosniff tells the browser to trust the declared Content-Type and stop 'MIME sniffing' — guessing a file's type from its contents. Without it, a browser might execute a file you served as plain text or an image as if it were JavaScript, enabling certain XSS and drive-by attacks. It's a single header with effectively zero downside, so this checker flags any site missing it. Adding it is one line: X-Content-Type-Options: nosniff.
What should I fix first?: Start with HSTS (high impact, low risk — just add the header and confirm your site fully loads over HTTPS), then X-Content-Type-Options: nosniff (one line, zero risk), then X-Frame-Options: SAMEORIGIN (prevents clickjacking). Save CSP for last — it's the only one that can actively break your site if misconfigured, and it requires the most testing.
Will adding security headers break my site?: HSTS, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are extremely low risk and won't break normal site functionality. X-Frame-Options can break legitimate embeds (like payment widgets in iframes) if set to DENY. CSP is the one that requires careful testing — any external origin not in your policy will be silently blocked, which can break analytics, fonts, chat widgets, and embedded media.
How do I check the security headers on my website?: Type your site's URL into the box above (with or without https://) and click "Grade headers". This free security headers check fetches your site through an Edos-hosted backend — because browsers can't cross-origin-read response headers — follows the HTTP-to-HTTPS redirect chain, and grades each HTTP security header (Content-Security-Policy, Strict-Transport-Security / HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) plus cookie flags. You get a letter grade and per-header detail with no signup.

All free tools DNSSEC / CAA / MTA-STS SPF/DKIM/DMARC