HTTP security headers.
Grade any URL on the headers that actually matter for browser security: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, plus cookie flags and the HTTP-to-HTTPS redirect chain.
What we grade
Content-Security-Policy (CSP) — tells browsers what scripts, styles, fonts, images, frames and fetches your page is allowed to load. The single most effective mitigation against XSS. Hard to retrofit, easy to add to a new site.
Strict-Transport-Security (HSTS) —
tells browsers to refuse plain HTTP for this domain for the next
N seconds. Defends against active downgrade attacks. Should be at
least 6 months; 1 year is standard; with
includeSubDomains; preload
you can submit to the HSTS preload list.
X-Frame-Options / frame-ancestors —
prevents your site from being framed by attackers (clickjacking).
Modern sites should use CSP frame-ancestors;
legacy X-Frame-Options: DENY
still works.
X-Content-Type-Options —
must be nosniff.
Stops browsers from MIME-sniffing responses, which can let
attacker-controlled files execute as scripts.
Referrer-Policy — controls
how much of the URL is leaked when users click links to other
sites. strict-origin-when-cross-origin
is the modern default.
Permissions-Policy — opts your site out of features you don't use (camera, microphone, geolocation, USB, payment) so that third-party iframes can't quietly use them.
Cookie flags — every cookie
set should have Secure,
HttpOnly
(where appropriate), and SameSite=Lax
or Strict.
HTTPS redirect chain — plain-HTTP requests should 301-redirect to HTTPS. We follow up to 5 redirects and confirm you end up on HTTPS.
Found gaps?
Most security headers are nginx/Apache one-liners. CSP is the one that genuinely takes effort because you have to enumerate every third-party origin your site loads. The rest are usually 30 minutes of config work plus a deploy.
If you'd like the work done by people who run security headers as part of their day job — including writing a strict CSP that doesn't break your analytics, your A/B tests, or your fonts — talk to us.
Privacy
Unlike our DNS-based tools, this tool runs the fetch through a small Edos-hosted PHP backend (browsers can't cross-origin-fetch and read response headers from sites that don't opt in). The backend doesn't log the URLs you check. Your IP is in standard nginx access logs retained for 14 days for security purposes only — same as any other page on this site.
Frequently asked questions
- What are HTTP security headers?
- HTTP security headers are response headers that browsers read to understand how to handle your page's content. They don't change how your site looks or functions for legitimate users — they restrict what browsers are allowed to do, making it harder for attackers to exploit your users through injected scripts, clickjacking, MIME confusion, or protocol downgrade attacks.
- What is Content-Security-Policy (CSP)?
- CSP is a whitelist telling the browser which origins are allowed to load scripts, styles, images, fonts, and frames. It's the most effective mitigation against cross-site scripting (XSS), but it requires you to enumerate every external origin your page loads — analytics, font CDN, chat widgets, and so on. Getting it wrong silently breaks things; getting it right requires careful enumeration and testing.
- What is HSTS?
- HSTS (HTTP Strict Transport Security) tells browsers to refuse all plain-HTTP connections to your domain for a set period — typically 1 year. Once a browser has seen your HSTS header, it will automatically upgrade HTTP to HTTPS without a round-trip. With includeSubDomains and preload, you can have your domain added to the browser's built-in HSTS list, protecting even first-time visitors.
- What should I fix first?
- Start with HSTS (high impact, low risk — just add the header and confirm your site fully loads over HTTPS), then X-Content-Type-Options: nosniff (one line, zero risk), then X-Frame-Options: SAMEORIGIN (prevents clickjacking). Save CSP for last — it's the only one that can actively break your site if misconfigured, and it requires the most testing.
- Will adding security headers break my site?
- HSTS, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are extremely low risk and won't break normal site functionality. X-Frame-Options can break legitimate embeds (like payment widgets in iframes) if set to DENY. CSP is the one that requires careful testing — any external origin not in your policy will be silently blocked, which can break analytics, fonts, chat widgets, and embedded media.