~/tools/security-headers-checker

Security Headers Checker

Grade your site's HTTP security headers in seconds. Missing headers like CSP and HSTS leave you open to clickjacking, MIME sniffing, and protocol-downgrade attacks.

§ what this tool checks

Rules applied to every scan.

Security headers are the cheapest hardening you can ship — a few lines of server config that tell the browser how to protect your users. Without them, your site is exposed to clickjacking, MIME-type sniffing, and protocol-downgrade attacks. This tool reads your live HTTP response headers, grades what you have against the headers every site should send, and shows exactly which ones are missing.

Content-Security-Policy (CSP) against injection and clickjacking

Strict-Transport-Security (HSTS) to force HTTPS

X-Content-Type-Options to stop MIME sniffing

Permissions-Policy to lock down browser features

Referrer-Policy and X-Frame-Options

An overall letter grade for your header coverage

§ faq

Questions, answered.

What are HTTP security headers?

Security headers are directives your server sends in every HTTP response that tell the browser how to behave more safely — which sources may load scripts, whether the site may be framed, whether to force HTTPS, and more. They are a server-side configuration, invisible to users, and among the highest-impact, lowest-effort security improvements you can make.

Which security headers are most important?

Content-Security-Policy is the single most powerful header — it restricts where scripts, styles, and other resources can load from, mitigating cross-site scripting and clickjacking. Strict-Transport-Security (HSTS) forces browsers to use HTTPS and prevents downgrade attacks. X-Content-Type-Options: nosniff stops MIME-type confusion attacks. Together these three cover the most common web vulnerabilities.

How do I add security headers to my site?

Where you set them depends on your stack: in Next.js use the headers() function in next.config.js; on Nginx use add_header directives; on a CDN like Cloudflare or Vercel use the dashboard or a config file. Start with X-Content-Type-Options and HSTS (they are safe to enable broadly), then build a Content-Security-Policy carefully and test it in report-only mode before enforcing.

Do security headers affect SEO?

Not directly — Google does not rank you higher for sending them. But they protect against attacks (defacement, injected spam links, malware) that absolutely destroy rankings, and HSTS reinforces the HTTPS that Google does reward. Think of security headers as insurance: they prevent the catastrophic SEO losses that come from a compromised site.

§ run the full audit

Stop guessing. Scan everything in one click.

60 automated checks across meta tags, robots.txt, Open Graph, sitemaps, headings, AI visibility, and more — free, no signup.

run a full scan →

§ other tools

Check another thing.

Single-purpose inspectors for when you need to verify one thing.

01Meta Tag CheckerCheck your page title, meta description, viewport, charset, and robots tags.02Robots.txt ValidatorValidate your robots.txt file for syntax errors and blocking rules.03AI Crawler CheckerTest if ChatGPT, Claude, and Perplexity can actually read your page — not just whether your robots.txt says they can.04Open Graph Tag PreviewCheck your Open Graph and Twitter Card tags for social media sharing.05Sitemap ValidatorValidate your sitemap.xml file format and URL count.06Heading Structure CheckerAnalyze your H1-H6 heading hierarchy for SEO best practices.07SSL Certificate CheckerCheck your SSL certificate: expiry date, issuer, and trust chain.08Redirect CheckerTrace the full redirect chain for any URL — every 301, 302, and hop.09Structured Data ValidatorValidate your JSON-LD schema markup for missing fields and errors.10Broken Link CheckerScan a page for internal links that return 404s and server errors.11Core Web Vitals CheckerCheck the lab signals behind LCP, CLS, and a fast first byte.12Canonical Tag CheckerCheck your canonical tag and confirm it points where it should.