Does this work on localhost?

No — your URL has to be reachable from the public internet. For localhost testing, check the Network tab in your browser's DevTools directly.

Will this show me what to change?

Yes. Every missing or misconfigured header links to a plain-English fix guide with code examples for Next.js, Vercel, Cloudflare, and nginx.

How accurate is the CSP check?

We check that a CSP header exists and flag common weaknesses (unsafe-inline, wildcard sources). We do not run a full CSP policy analysis — for that, use a dedicated tool like csper.io after you have a baseline.

Free tool

Free Security Headers Checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

Free. No account. Results in under 60 seconds.

What it checks

Every check, explained

01Content-Security-Policy — stops script injection attacks
02Strict-Transport-Security (HSTS) — forces HTTPS
03X-Frame-Options — blocks clickjacking iframes
04X-Content-Type-Options — prevents MIME sniffing
05Referrer-Policy — controls what URLs leak to third parties
06Permissions-Policy — locks down camera, mic, geolocation

Why it matters

Why you should care

Security headers are the single easiest set of fixes for any site. Each one is a single response header, and together they stop the most common web attacks (XSS, clickjacking, downgrade, MIME-sniffing). Most sites have 0-2 of the 6 we check. Every one you add moves the dial.

How it works

What happens when you paste a URL

We send one GET request to your URL and read the response headers. No cookies are sent, no forms are submitted, no JavaScript is executed. Everything we report is information your browser already receives.

FAQ

Frequently asked questions

Does this work on localhost?: No — your URL has to be reachable from the public internet. For localhost testing, check the Network tab in your browser's DevTools directly.
Will this show me what to change?: Yes. Every missing or misconfigured header links to a plain-English fix guide with code examples for Next.js, Vercel, Cloudflare, and nginx.
How accurate is the CSP check?: We check that a CSP header exists and flag common weaknesses (unsafe-inline, wildcard sources). We do not run a full CSP policy analysis — for that, use a dedicated tool like csper.io after you have a baseline.

Fix guides

If this check fails, here is what to do

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Missing X-Frame-Options

Without X-Frame-Options or CSP frame-ancestors, attackers can embed your site in an invisible iframe to trick users into clicking things. Here is the fix.

Missing X-Content-Type-Options

X-Content-Type-Options: nosniff stops browsers from guessing file types and executing uploads as scripts. Every site should send it — here is how.

Missing Referrer-Policy

Referrer-Policy controls how much URL information leaks when users click links out of your site. The default leaks too much. Here is what to set instead.

Missing Permissions-Policy

Permissions-Policy controls which browser features (camera, microphone, geolocation) your site and its iframes can use. Default-allow is unsafe — lock it down.

More free tools

Related checkers

SSL checker

Certificate validity, TLS version, and cipher strength — in 10 seconds.

CORS checker

Is your API open to any website? Find out now.

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Glossary