HTTP Security Headers Check
What Are HTTP Security Headers?
HTTP security headers are response headers that web servers send to browsers to control how the page content is handled. They form a critical layer of defense against common web attacks including cross-site scripting (XSS), clickjacking, MIME type confusion, and protocol downgrade attacks. Properly configured security headers can prevent many attack vectors without requiring changes to the application code itself.
Content-Security-Policy (CSP) is arguably the most powerful security header. It defines an allowlist of content sources that the browser may load for a given page. By specifying which domains can serve scripts, stylesheets, images, and other resources, CSP effectively blocks unauthorized code from executing. A strict CSP policy can prevent most XSS attacks, even if an attacker finds a way to inject content into the page. For example, foxquery.com's CSP allows scripts only from itself and Google AdSense, blocking all other script sources.
Strict-Transport-Security (HSTS) instructs the browser to always use HTTPS when communicating with the site. Once a browser receives the HSTS header, it will automatically upgrade any HTTP requests to HTTPS for the duration specified in max-age, typically set to one year (31536000 seconds). The includeSubDomains directive extends this protection to all subdomains, and the preload directive allows the domain to be hardcoded into browser HSTS lists for protection from the very first visit.
X-Frame-Options prevents clickjacking by controlling whether a page can be embedded in iframes. Setting it to DENY blocks all framing, while SAMEORIGIN allows framing only by the same domain. X-Content-Type-Options with the nosniff value stops browsers from guessing the MIME type of responses, preventing attacks that exploit type confusion. Referrer-Policy controls how much URL information is sent to other sites when a user follows a link.
Our tool checks all critical security headers and assigns a letter grade from A (excellent) to F (poor). Use our SSL Checker to verify your certificate configuration, Redirect Checker to ensure HTTP to HTTPS redirects work correctly, or Website Speed Test to measure how header configuration affects performance.
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are directives sent by a web server in its response that tell the browser how to behave when handling the site's content. They protect against common web attacks like cross-site scripting (XSS), clickjacking, MIME type sniffing, and protocol downgrade attacks. Key headers include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and X-Content-Type-Options.
What is Content-Security-Policy (CSP)?
Content-Security-Policy is an HTTP header that controls which resources the browser is allowed to load for a page. It is one of the most effective defenses against cross-site scripting (XSS) attacks. A well-configured CSP specifies approved sources for each resource type, blocking any unauthorized content from executing.
What is HSTS (Strict-Transport-Security)?
HSTS tells browsers to only access the site over HTTPS, never HTTP. Once a browser receives this header, it will automatically convert any HTTP requests to HTTPS for the specified duration. This prevents protocol downgrade attacks and cookie hijacking. The includeSubDomains directive extends protection to all subdomains.
How is the security grade calculated?
The security grade is based on the presence and proper configuration of key security headers. An A grade requires all critical headers including CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Missing headers lower the grade, and weak configurations receive warnings.
What is X-Frame-Options?
X-Frame-Options controls whether a browser can display a page inside an iframe, frame, or object element. Setting it to DENY prevents all framing, while SAMEORIGIN allows framing only by pages on the same domain. This header protects against clickjacking attacks.