Free Online Tool

Security Headers Scanner

Free online HTTP security headers scanner for CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.

Raw headers (paste from curl -I or devtools)

0/100

critical

Missing CSP leaves pages exposed to script injection vectors.

Fix: Start with `default-src 'self'` and tighten directives by resource type.

critical

HTTPS site without HSTS can be downgraded by first-visit attacks.

Fix: Add HSTS with at least `max-age=31536000; includeSubDomains`.

warning

Missing clickjacking protection can allow hostile iframe embedding.

Fix: Set `DENY` or `SAMEORIGIN` unless framing is intentionally required.

warning

`nosniff` is missing, increasing MIME confusion risk.

Fix: Set `X-Content-Type-Options: nosniff`.

warning

No policy means browser defaults may leak more referrer data than intended.

Fix: Use `strict-origin-when-cross-origin` or a stricter policy.

warning

Browser features are not explicitly restricted.

Fix: Set least-privilege feature directives (camera=(), microphone=(), etc.).

What problem does this tool solve?

Security headers are often missing or inconsistent across environments, leaving avoidable browser-level attack surface.

Fetch response headers from a URL or paste raw header output from curl/devtools.
Review critical and warning findings for missing or weak directives.
Use recommended header values to patch your reverse proxy, CDN, or app server config.

Browser-enforced policies reduce clickjacking, MIME confusion, and some injection attack paths.

Yes. A quick header pass catches common misconfigurations before launch.

No. Header checks are one layer and should complement broader security reviews.