URL
Enter a full URL including https://
Quick Examples
Security headers cheat sheet — configure each one
# nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; ..." always;
# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
// ASP.NET Core middleware
app.Use(async (context, next) => {
context.Response.Headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains";
context.Response.Headers["X-Content-Type-Options"] = "nosniff";
context.Response.Headers["Referrer-Policy"] = "strict-origin-when-cross-origin";
context.Response.Headers["Permissions-Policy"] = "geolocation=(), microphone=(), camera=()";
await next();
});
// Express (helmet middleware)
const helmet = require('helmet');
app.use(helmet()); // default: all the above + CSP defaults
// Cloudflare — Page Rules or Transform Rules (add Response Header)
// Set Strict-Transport-Security: max-age=31536000; includeSubDomains
Grading — what A/B/C/D/F mean
Our scanner grades based on which critical headers are present and well-configured:
| Grade | Score | Typical configuration |
|---|---|---|
| A+ | ≥ 95 | All recommended headers, strict CSP, HSTS with preload |
| A | 85-94 | All recommended, CSP may have loose directives |
| B | 65-84 | HSTS + X-Content-Type-Options but no/weak CSP |
| C | 45-64 | Only HSTS or only a few headers |
| D | 25-44 | Deprecated headers like X-XSS-Protection, no HSTS |
| F | < 25 | No security headers at all |
Fast-path to A: add HSTS + X-Content-Type-Options + Referrer-Policy (one-line nginx additions). Add CSP properly = the extra 10 points to A+, but it requires testing in report-only mode first.
Frequently Asked Questions
How do I check HTTP security headers on a website?
Enter a URL. The scanner fetches the response headers and grades each: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-*. Gives you an overall letter grade A–F with specific fixes.
What are the must-have HTTP security headers in 2026?
Content-Security-Policy (stops XSS), Strict-Transport-Security (forces HTTPS), X-Content-Type-Options: nosniff, X-Frame-Options: DENY or CSP `frame-ancestors`, Referrer-Policy: strict-origin-when-cross-origin. Optional but nice: Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy.
How do I fix a failing security headers score?
Add missing headers at the web server, CDN or app level. Start with the easy three: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`, `X-Content-Type-Options: nosniff`, `Referrer-Policy: strict-origin-when-cross-origin`. Then tackle CSP (harder but highest value).
How is this different from securityheaders.com?
Same checks, same grading logic. Our tool runs the scan live from your browser with no account needed and links directly to our CSP Evaluator for deeper inspection of the Content-Security-Policy header.
Do security headers help with SEO?
Indirectly. HSTS and strong CSP boost trust signals (fewer malware warnings, no mixed-content issues). Google has confirmed HTTPS is a ranking signal; secure headers reinforce the HTTPS posture. More importantly, they protect users.
Smarter quality checks. Faster deployments.
Better apps.
