Security Headers Checker

// Check and analyze HTTP security headers

Paste Response Headers

Recommended Security Headers

Content-Security-Policy

critical

Controls which resources the browser can load. Mitigates XSS and data injection attacks.

Recommended: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'

Strict-Transport-Security

critical

Forces HTTPS connections. Prevents protocol downgrade attacks and cookie hijacking.

Recommended: max-age=63072000; includeSubDomains; preload

X-Content-Type-Options

high

Prevents MIME-type sniffing. Reduces drive-by download attacks.

Recommended: nosniff

X-Frame-Options

high

Controls whether the page can be embedded in iframes. Prevents clickjacking.

Recommended: DENY

X-XSS-Protection

low

Legacy XSS filter for older browsers. Modern browsers rely on CSP instead.

Recommended: 0

Referrer-Policy

medium

Controls how much referrer information is shared with other sites.

Recommended: strict-origin-when-cross-origin

Permissions-Policy

medium

Controls browser features like camera, microphone, geolocation.

Recommended: camera=(), microphone=(), geolocation=()

Cross-Origin-Opener-Policy

medium

Isolates browsing context. Prevents Spectre-like side-channel attacks.

Recommended: same-origin

Cross-Origin-Resource-Policy

medium

Controls which origins can load your resources.

Recommended: same-origin

Cross-Origin-Embedder-Policy

low

Controls embedding of cross-origin resources. Required for SharedArrayBuffer.

Recommended: require-corp

#About Security Headers Checker

Free online security headers checker. Analyze HTTP response headers for security best practices including CSP, HSTS, X-Frame-Options, and more. This tool runs entirely in your browser — your data is never sent to a server. Just paste your input, get instant results, and copy with one click. No sign-up or installation required.

#FAQ

Which security headers are most important? ▾

Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS) are the most critical. CSP prevents XSS and injection attacks, while HSTS ensures all connections use HTTPS. X-Content-Type-Options and X-Frame-Options are also high priority for preventing MIME sniffing and clickjacking.

How do I get my response headers to paste here? ▾

Open your browser DevTools (F12), go to the Network tab, reload your page, click on the main document request, and look at the Response Headers section. You can copy the headers from there. Alternatively, use curl -I https://yoursite.com in your terminal.

</> Embed this tool ▾

Copy this code to embed the tool on your website. Adjust the height to fit your layout.

<iframe src="https://www.browserutils.dev/embed/security-headers-checker" width="100%" height="500" frameborder="0" title="Security Headers Checker"></iframe>

#Related

CSP Header Generator

Generate Content Security Policy headers

CORS Tester

Test CORS configuration by making fetch requests