HTTP Security Headers Checker
Scan any website's HTTP response headers. Check HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and more.
Why do HTTP security headers matter?
Security headers are your first line of defense against client-side attacks. They tell browsers how to behave when loading your site — blocking clickjacking, preventing XSS, forcing HTTPS, and restricting what resources can load. Missing headers = missed defenses.
What is HSTS?
HTTP Strict Transport Security tells browsers to always use HTTPS for your domain, even if the user types http://. Without it, the first request is vulnerable to downgrade attacks where an attacker strips the SSL connection.
What is CSP?
Content Security Policy controls which scripts, styles, images, and other resources can load on your pages. A well-configured CSP is the most effective defense against cross-site scripting (XSS) attacks — the #1 web vulnerability.
Quick wins
Start with: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin. Then add HSTS with a 1-year max-age. CSP is harder — start with report-only mode and iterate.
FAQ
Frequently asked questions
Is this headers checker free?+
Yes, completely free and instant. Check any public website's security headers — no signup required.
What is a good headers grade?+
An A means you have HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy all configured correctly. Most sites score C or lower because CSP and Permissions-Policy are often missing.
How do I add security headers?+
It depends on your web server. For nginx, add headers in the server block. For Apache, use mod_headers. For Vercel/Netlify/Cloudflare, use their config files or dashboard. Run a full CQwerty Shield scan for copy-paste instructions specific to your setup.
What's the difference between this and SecurityHeaders.com?+
SecurityHeaders.com focuses only on HTTP headers. CQwerty Shield checks headers as one of 18+ security dimensions — we also check SSL, DMARC, SPF, DNS, WHOIS, breach intel, and cross-reference CVE/KEV databases. Plus we provide AI-generated fix instructions.
HTTP Security Headers Checker is just the start.
CQwerty Shield checks SSL, DMARC, SPF, DNS, HTTP headers, WHOIS, breach intel, and more — with CVE/KEV cross-references on every finding.
Free full scan — no signup →