Security Headers Analyzer
Grade any website's HTTP security headers
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are response headers a web server sends to instruct the browser how to behave securely. Key ones include Strict-Transport-Security (forces HTTPS), Content-Security-Policy (blocks XSS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (stops MIME sniffing), Referrer-Policy, and Permissions-Policy.
Which security header is the most important?
Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS) provide the most protection. CSP is the strongest defense against cross-site scripting (XSS), and HSTS prevents protocol-downgrade and SSL-stripping attacks by forcing HTTPS.
Why does my site leak its server version?
The Server and X-Powered-By response headers often reveal the exact software and version a site runs (e.g. nginx/1.21.0 or PHP/8.1). Attackers use this to target known vulnerabilities. Best practice is to suppress or genericize these headers.