See what your security headers are (and aren't) doing.

What are security headers?

Security headers are HTTP response headers that instruct browsers how to behave when handling your site's content. Headers like Content-Security-Policy restrict which scripts can run, Strict-Transport-Security forces HTTPS connections, and X-Frame-Options prevents your pages from being embedded in malicious iframes. Together they form a critical layer of defense that costs nothing to implement but stops entire classes of attacks — XSS, clickjacking, MIME sniffing, and protocol downgrade.

Most sites ship without them. A single missing header can leave your users exposed even when the rest of your stack is solid. This tool checks every header that matters, rates them by severity, and tells you exactly what's missing. Paste any URL to get a full report in seconds.