How to Check Website Security Headers
Security headers are one of the easiest things to set up on a website, and one of the most commonly overlooked. They're HTTP response headers that tell browsers how to behave when handling your site's content — things like preventing clickjacking, stopping XSS attacks, and enforcing HTTPS. A security headers checker scans your site and tells you what's missing.
I run this check on every new site I work on. It takes 10 seconds, and about 70% of the time I find at least two or three missing headers that should be there.
Important Security Headers
Here are the ones that matter most:
- Content-Security-Policy (CSP) — controls which resources can load on your page. Prevents XSS attacks by blocking unauthorized scripts.
- Strict-Transport-Security (HSTS) — forces browsers to use HTTPS. Once set, browsers won't even try HTTP.
- X-Frame-Options — prevents your site from being embedded in iframes. Blocks clickjacking attacks.
- X-Content-Type-Options — stops browsers from MIME-type sniffing. Should be set to "nosniff."
- Referrer-Policy — controls how much referrer information is sent when navigating away from your site.
- Permissions-Policy — controls which browser features your site can use (camera, microphone, geolocation).
Why These Matter
Without proper security headers, your site is vulnerable to several common attacks. Clickjacking can trick users into clicking hidden elements. XSS attacks can inject malicious scripts. MIME sniffing can cause browsers to execute files in unexpected ways. These headers add layers of protection that cost nothing to implement.
How to Fix Missing Headers
Adding security headers usually means adding a few lines to your server configuration. If you're using Nginx, it's an add_header directive. For Apache, it's a Header set in your .htaccess file. Cloud platforms like Vercel, Netlify, and Cloudflare let you set them in their dashboards.
Start with the quick wins — X-Content-Type-Options and X-Frame-Options are one-liners that provide immediate protection. Then work up to CSP, which is more complex but provides the strongest protection.
Test After Every Change
After adding headers, run the checker again to confirm they're working. Misconfigured headers can break your site — a CSP policy that's too strict will block your own CSS and JavaScript. Test in a staging environment first.
Our security headers checker scans any URL and grades each header as pass or fail, with specific recommendations for what to add. Takes seconds to run.