Analyze your website's HTTP security headers instantly. Get detailed explanations and code snippets to fix vulnerabilities.
Checking your website for security vulnerabilities
0% Complete
HTTP security headers are directives sent by your web server to browsers. They instruct browsers on how to behave when handling your site's content. They protect you from web attacks.
Security headers add an extra layer of protection even if your application has vulnerabilities.
Adding security headers requires no code changes - just server configuration.
Protect against XSS, clickjacking, MIME sniffing attacks...
HTTP/1.1 200 OK
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-originSecurity headers are HTTP response headers that your web server sends to browsers. They provide instructions on how to handle your site's content securely.
A low score indicates your site misses security protections. It doesn't mean you've been hacked, but your site is more vulnerable to web attacks. We recommend implementing the missing headers ASAP.
Security headers are configured at the server level. Click on any missing header in your results to see code snippets for Apache, Nginx, Vercel, Cloudflare... Simply copy the snippet and add it to your server configuration.
Security headers are an important layer of defense. But not a complete solution. They work best with secure coding practices, regular updates, HTTPS, and other security best practices.
X-XSS-Protection was removed from modern browsers, because the filter had security issues. However, it still provides protection for older browsers like Internet Explorer.
Love this free tool? Share it with your network!