SiteAuditLab
Free tool · No sign-up required

Free Security Header Checker

Test HTTP security headers in seconds

Scan any URL to check for HSTS, CSP, X-Frame-Options, cookie flags, SRI, and 8 more security headers. Get a graded report with actionable fix recommendations.

Results in ~10 seconds · Sign up free to save history & set up monitoring

This tool uses the same scanner as the full SiteAuditLab audit — pre-filtered to this category. Run a full scan to see Security, Performance, SEO, Accessibility, Privacy & more together.

What gets checked

Strict-Transport-Security (HSTS) max-age & preload
Content-Security-Policy (CSP) directives
X-Frame-Options (clickjacking protection)
X-Content-Type-Options: nosniff
Referrer-Policy strictness
Permissions-Policy configuration
CORS header analysis
Subresource Integrity (SRI) on scripts
Mixed HTTP/HTTPS content detection
Cookie security flags (HttpOnly, Secure, SameSite)
HTTPS redirect verification
SSL/TLS certificate presence

Frequently asked questions

What are HTTP security headers?

HTTP security headers are response headers your web server sends to browsers that instruct them how to behave when handling your site's content. Headers like Content-Security-Policy prevent XSS attacks, X-Frame-Options blocks clickjacking, and Strict-Transport-Security enforces HTTPS. Missing these headers leaves your users exposed to well-known attack vectors.

How do I add security headers?

The method depends on your server. In Next.js: add a headers() export in next.config.js. In Nginx: add add_header directives in your server block. In Apache: use Header set in .htaccess. On Vercel/Netlify: use the vercel.json or _headers file. Our tool tells you exactly which headers are missing and what values to set.

What is Content-Security-Policy (CSP)?

CSP is a browser mechanism that restricts which resources (scripts, styles, images) can load on your page. A properly configured CSP is one of the most effective defences against Cross-Site Scripting (XSS) attacks. Start with default-src 'self' and add exceptions as needed.

Is this tool free?

Yes, the security header check is completely free and requires no account. Sign up for a free account to save your scan history, set up scheduled checks, and monitor your site 24/7.

How often should I check my security headers?

After every deployment that touches your server configuration, and at least monthly. Header configurations can silently change during platform migrations or when adding third-party services. Use our scheduled audit feature to automate this check.

Want history, scheduled audits, and uptime monitoring?

Sign up free — no credit card