Goto full web page.

Security Headers Checker for any Domain url

Enter any URL and our Bot will fetch the url domain headers.

Notes: This App is monitored and restricted against abuse. your IP is also logged for a period, incase of reports of abuse by your IP address

HTTP Security Headers Explained

When your website sends a response to a web browser, it can include security headers. These instruct the browser how to behave in ways that help protect your site, your visitors, and your data. Below you'll find some of the most commonly used headers, what they do, and why you should include them.

Header What It Does Example Value(s)
Strict-Transport-Security (HSTS) Forces the browser to use HTTPS (never HTTP) for a set time; prevents downgrade attacks. Also helps prevent "man-in-the-middle" attacks. Once a browser sees this, it remembers (per domain). max-age=31536000; includeSubDomains; preload
Content-Security-Policy (CSP) Controls what external (or internal) sources of scripts, styles, images, etc., are allowed. Helps stop cross-site scripting (XSS), injected scripts, and data leaks. default-src 'self'; script-src 'self' https://trustedscripts.example.com; style-src 'self' 'unsafe-inline'
X-Frame-Options Prevents your pages from being "framed" by other sites. Stops clickjacking attacks (when someone overlays invisible frames over your content). SAMEORIGIN or DENY
X-Content-Type-Options Tells the browser to trust your MIME types and not "sniff" them. Prevents certain types of attacks where bad content is disguised as something else (e.g. a script disguised as text). nosniff
Referrer-Policy Controls how much of the "referrer" (previous page URL) gets sent to the next site. Helps with privacy and can also stop exposing query strings with private data or session IDs. same-origin, strict-origin-when-cross-origin
Permissions-Policy Allows you to enable/disable certain browser features (camera, microphone, geolocation, etc.). Less used features = smaller attack surface. geolocation=(), microphone=(), camera=()
Cross-Origin-Resource-Policy (CORP) Controls which sites can fetch your images, scripts, etc. Helps prevent misuse of your resources by other origins. same-origin or same-site
Cross-Origin-Embedder-Policy (COEP) Makes browser reject cross-origin resources unless they explicitly allow it (via CORP or CORS). Helps with isolation and protecting against some side-channel attacks. require-corp
Cross-Origin-Opener-Policy (COOP) Ensures your site's pages don't share browsing contexts with other sites. Prevents some cross-window attacks and improves security for certain kinds of isolated web applications. same-origin
Cache-Control Controls how browsers and intermediate caches store your pages. For sensitive pages (login, admin) you usually don't want them cached. For static assets, long caching is OK. no-store, no-cache, must-revalidate
Server (optional to hide) This header identifies the web server (e.g., Apache, nginx). Hiding or masking this makes it slightly harder for attackers to know what software/version your server is running, which can reduce attack vectors. Server: Apache or omit / obfuscate

Frequently Asked Questions about Security Headers

What are HTTP security headers?

Security headers are extra instructions sent by a web server to a browser. They tell the browser how to handle content and help prevent attacks such as clickjacking, cross-site scripting, and data leaks.

Do security headers improve SEO?

Security headers don't directly increase search rankings, but they build trust with users and search engines. Proper use of HTTPS, HSTS, and CSP can prevent browser warnings and keep your site safe, which indirectly benefits SEO.

What is Strict-Transport-Security (HSTS)?

HSTS forces browsers to always use HTTPS, preventing insecure HTTP connections. It protects against downgrade attacks and man-in-the-middle attacks.

What does X-Frame-Options do?

X-Frame-Options prevents your website from being embedded in an iframe on another site, protecting against clickjacking attacks. Options include SAMEORIGIN or DENY.

What is a Content-Security-Policy (CSP)?

CSP defines which resources (scripts, styles, images, etc.) are allowed to load on your site. It reduces the risk of cross-site scripting (XSS) and injected malware. CSP is powerful but must be tested carefully to avoid breaking functionality.

What is the Referrer-Policy header?

Referrer-Policy controls how much of the referring URL is shared when a user clicks a link. It helps protect user privacy and prevents sensitive query strings from leaking to third parties.

Which security headers are most important to start with?

The most important headers to begin with are Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a basic Content-Security-Policy. These provide immediate protection against common attacks.

How do I add security headers in .htaccess?

You can add headers in your Apache .htaccess file using the Header directive. For example: Header always set X-Content-Type-Options "nosniff". Your server must have mod_headers enabled. Test thoroughly after adding headers to ensure nothing breaks.

How to Use These Headers on Your Site

  1. Decide which headers make sense for *your site.* If you don't use geolocation or video, you can tighten `Permissions-Policy` a lot.
  2. Test in staging before pushing live. Some CSP rules can break functionality (like inline scripts or third-party embeds).
  3. Use browser dev tools / online testers (e.g. security-headers) to check what's already being sent and where you need improvements.
  4. Make sure you monitor / update over time. Security needs evolve. Don't just "set and forget."

Real-Life Example: .htaccess for Apache

Here's a working sample you can drop into your `.htaccess`. It sets up a baseline of strong headers that are generally safe for most sites. Tweak as needed.


# BEGIN Security Headers

# Force HTTPS & prevent protocol downgrade
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Prevent framing
Header always set X-Frame-Options "SAMEORIGIN"

# Control content sources (scripts, styles, images, etc.)
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; 
style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none'; frame-ancestors 'self';"

# Prevent MIME-sniffing
Header always set X-Content-Type-Options "nosniff"

# Referrer policy for privacy
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Permissions policy (disable features you don't need)
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), fullscreen=(), interest-cohort=()"

# Cross-origin policies
Header always set Cross-Origin-Resource-Policy "same-origin"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"

# Caching control (for sensitive pages, adjust separately if needed)
<IfModule mod_headers.c>
 <FilesMatch "\.(html|php)$">
 
Header always set Cache-Control "no-cache, no-store, must-revalidate"
 
Header always set Pragma "no-cache"
 </FilesMatch>
</IfModule> 


# Optional: hide server version / software info
# Header unset Server
# (or configure your server to not send it at all)

# END Security Headers

Note: If you have third-party embeds (iframes, widgets), or external scripts/styles/fonts, you'll need to adjust either the CSP or the CORP/COEP settings so you don't break functionality. Always test after implementing.