Free · No signup · Instant

HTTP Security Headers Checker

HTTP security headers tell the browser how to safely render your site — blocking clickjacking, XSS, mixed content, and MIME sniffing attacks. This tool fetches your homepage, inspects the response headers, and gives you a 0–100 score plus copy-paste fixes for whatever's missing.

Frequently asked questions

What's the most important security header?

Strict-Transport-Security (HSTS) — it forces every connection to use HTTPS and prevents protocol-downgrade attacks. Set max-age=31536000; includeSubDomains; preload.

Is X-Frame-Options still needed if I have CSP?

If your CSP includes a frame-ancestors directive, X-Frame-Options is redundant for modern browsers — but X-FO still helps older clients. Either is fine.

Why don't I have Content-Security-Policy?

CSP is the highest-impact header but the trickiest to roll out without breaking your site. Start in Content-Security-Policy-Report-Only mode and tighten over time.

Other free tools

SPF Record Checker

Check any domain's SPF record for syntax errors, lookup-count violations, and policy weakness. Free, instant, no signup.

DMARC Record Checker

Look up any domain's DMARC record. We check the policy strength (none/quarantine/reject), aggregate reporting, and percentage enforcement.

DNS Lookup

Resolve any domain's full DNS footprint in one call: A, AAAA, MX, NS, TXT, CAA records with TTLs.