Security Headers Checker — HSTS, CSP & HTTP Header Score

Security headers are directives the server sends before HTML body bytes. Browsers enforce them consistently across your pages without requiring JavaScript frameworks or server-side rewrites on every route. They complement TLS by addressing threats that persist even on encrypted connections — XSS, clickjacking, referrer leakage, and permission abuse.

Unlike WAF rules that block malicious requests, headers shape how the browser interprets your legitimate responses. A missing Content-Security-Policy leaves inline script injection viable; missing HSTS allows sslstrip-style attacks on first visit.

Strict-Transport-Security tells browsers to always use HTTPS for the max-age duration. Include subdomains only when every subdomain supports TLS. preload is optional and requires submission to browser preload lists — verify readiness before adding the token.

Our checker awards twenty-five points when any Strict-Transport-Security header is present. It does not parse max-age minimums — operators should ensure max-age is at least 31536000 seconds for production hardening.

CSP defines allowed sources for scripts, styles, images, and connections. A strict default-src 'self' with explicit exceptions beats a permissive policy that defeats the purpose. Report-uri or report-to directives help monitor violations in production.

We detect presence of Content-Security-Policy and show the first two hundred characters of the value. Long policies are truncated in display but still count toward score. Pair CSP deployment with mixed-content scanning to eliminate http:// dependencies.

X-Frame-Options with DENY or SAMEORIGIN prevents other sites embedding your pages in iframes. Content-Security-Policy frame-ancestors is the modern replacement and takes precedence where supported.

Twenty points apply when X-Frame-Options is set. For clickjacking-specific framing analysis including CSP frame-ancestors parsing, use our dedicated clickjacking test on the same URL.

Referrer-Policy controls how much URL information browsers send when users navigate away. strict-origin-when-cross-origin balances analytics needs with path privacy. Overly permissive policies leak session tokens in query strings to third parties.

Fifteen points reward any Referrer-Policy header. Review policy tokens against your analytics and affiliate link requirements.

Permissions-Policy (formerly Feature-Policy) disables powerful APIs — camera, microphone, geolocation, payment — by default unless explicitly allowed. This reduces impact when attacker-controlled scripts execute despite CSP.

We accept either permissions-policy or legacy feature-policy header names. Fifteen points apply when either is present.

One hundred means all five categories are covered. Seventy to ninety-nine indicates one or two gaps — often Referrer-Policy or Permissions-Policy on otherwise mature sites. Below seventy suggests missing HSTS or CSP, which should be prioritized.

Scores are binary per category: a weak CSP counts the same as a strong one. After reaching one hundred on presence, refine policy strictness manually or with CSP evaluators in staging.

Nginx and Apache set headers in server config. CDNs often expose header rules at the edge — prefer edge injection for static assets. Application frameworks may set headers in middleware — ensure reverse proxies do not strip them.

Test staging URLs with the same header config as production. Some hosts return different headers for apex vs www — check both variants.

Headers reduce browser-level attack surface but do not patch SQL injection or authentication flaws. Treat a high score as necessary, not sufficient, for security compliance narratives.

Re-run after every deploy that touches web server, CDN, or middleware configuration. Headers are frequently regressed during infrastructure changes.

Redirects may drop headers on intermediate responses — we follow to the final URL. Some paths serve different headers for bots vs browsers; our fetch uses a standard tool user agent.

If headers appear in browser devtools but not here, verify they are on the HTML document response, not only on static subresources.