Skip to content
SMTPDoctor

WEB-01 / WEBSITE SECURITY

Security Headers Checker

Audit a website's HTTP response headers for the security protections that guard against XSS, clickjacking, and protocol downgrade attacks.

About the Security Headers

HTTP security headers instruct browsers to enforce protections against common web attacks — cross-site scripting, clickjacking, protocol downgrade, and more. Missing them leaves easy openings. This tool audits which security headers a site sends.

What this tool checks

It requests the site over HTTPS and inspects the response for the key security headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

Why they matter

Each header closes off a class of attack. Content-Security-Policy limits XSS, X-Frame-Options stops clickjacking, and HSTS enforces HTTPS. Together they meaningfully harden a site.

Frequently asked questions

What are HTTP security headers?

They're response headers that tell the browser to enforce security protections, such as blocking framing, restricting script sources, and requiring HTTPS.

Which security header is most important?

Content-Security-Policy and Strict-Transport-Security offer the broadest protection, guarding against XSS and protocol-downgrade attacks respectively. Ideally you deploy all of them.

How do I add security headers?

Set them in your web server or application configuration, or at your CDN. Test changes carefully — a strict Content-Security-Policy can break legitimate resources if misconfigured.