Scan any website's security headers and get a letter grade. Generate server configurations to fix missing headers.
HTTP security headers are your site's first line of defense against common web attacks. They instruct browsers to enforce security policies that protect both your users and your application — without requiring any changes to your application code.
A properly configured set of security headers can prevent cross-site scripting (XSS), clickjacking, MIME-type confusion, protocol downgrade attacks, and information leakage. Most can be added with a few lines of server configuration, making them one of the highest-impact, lowest-effort security improvements available.
Despite this, most websites are missing critical security headers. Studies consistently show that fewer than 10% of websites properly implement Content-Security-Policy, and many don't even set basic headers like X-Content-Type-Options.
Forces browsers to always connect via HTTPS. After seeing this header, the browser will automatically convert all HTTP requests to HTTPS for the specified duration. With includeSubDomains and preload, your domain can be added to the HSTS preload list built into every major browser.
The most powerful security header. CSP specifies exactly which sources are allowed to load scripts, styles, images, fonts, and other resources. A strict CSP can completely prevent XSS attacks by blocking unauthorized script execution. Start with default-src 'self' and add specific sources as needed.
Prevents your page from being loaded in iframes on other domains, protecting against clickjacking attacks where attackers overlay invisible frames to trick users into clicking hidden elements. Set to DENY unless your site specifically needs to be framed.
Prevents browsers from MIME-sniffing the response content type. Without this header, browsers may interpret files as a different content type than declared, potentially executing malicious content. Always set to nosniff.
Controls how much URL information is sent as referrer data when users navigate away. Without this header, full URLs (including query parameters that may contain sensitive data) can leak to third-party sites. strict-origin-when-cross-origin is the recommended default.
Controls which browser features and APIs your site can use. Disable features you don't need (camera, microphone, geolocation, payment) to reduce your attack surface and prevent third-party scripts from accessing sensitive APIs.
server {} block. For Apache, add to your VirtualHost. For Cloudflare, create Transform Rules.Check if your URL is flagged for malware or phishing by 17 security vendors.
Check if your IP or domain is listed on DNSBL/RBL blocklists.
Diagnose and fix SSL certificate and TLS handshake errors.
Look up DNS records and verify your domain configuration.