App StoreApp Store
Google PlayGoogle Play
Temp Mail Logo

Temp Mail safeguards your privacy while keeping your inbox free from spam.

🛡 CSP · HSTS · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy

Security Headers Scanner

Free HTTP security headers checker. Scan any website for missing or misconfigured security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more. Get a grade from A+ to F with exact fix instructions.

✓ A+ to F grade✓ 9 header checks✓ Fix recommendations✓ Instant results✓ No signup
HTTP Security Header Scanner
Try:
🛡️
Enter a domain above to scan its HTTP security headers
What this tool does

Free security headers scanner — check HTTP response headers and fix vulnerabilities on your website

How the security headers scanner works and what each header protects against

This free security headers scanner fetches any website directly from our server and analyses all HTTP response headers against a comprehensive security checklist. It evaluates nine key areas — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HTTPS transport, X-XSS-Protection, and server information exposure — and produces a score from 0 to 100 with a letter grade from A+ to F. Results are instant because everything runs on our server with no external dependencies.

Security headers are the fastest and cheapest security improvements you can make to a website. Most headers require adding a single line to your server configuration and cost zero performance overhead. Yet many websites — including large, well-known ones — still score C or below, leaving their users exposed to clickjacking, cross-site scripting, MIME sniffing attacks, and unwanted information leakage.

Every failing test includes a specific, actionable recommendation showing exactly what header value to add. After implementing the fixes, re-run the scan to verify your changes. Achieving an A grade typically takes under 30 minutes for a developer familiar with their server configuration.

Features and capabilities
A+ to F Grading
Scores 0–100 across 9 security checks and assigns a letter grade — A+ means all headers correctly configured.
CSP Analysis
Checks Content-Security-Policy presence and evaluates strength — flags unsafe-inline and unsafe-eval directives.
HSTS Check
Verifies Strict-Transport-Security — checks max-age, includeSubDomains, and preload directive.
X-Frame-Options
Confirms clickjacking protection via X-Frame-Options: DENY/SAMEORIGIN or CSP frame-ancestors.
X-Content-Type-Options
Verifies nosniff is set to prevent MIME-sniffing attacks.
Referrer-Policy
Checks Referrer-Policy limits URL leakage to external sites.
Permissions-Policy
Verifies browser feature restrictions (camera, microphone, geolocation, etc.) are configured.
Server Info Exposure
Flags exposed server software and version numbers in Server and X-Powered-By headers.
Fix Recommendations
Every failing test shows exactly what header value to add and where — copy-paste ready.
No External Dependency
Runs entirely on our server — no third-party APIs, no rate limits, always available.
Instant Results
Scans complete in 2–5 seconds — no polling, no waiting for external services.
No Signup Required
Enter a domain and click Scan — no account, no API key needed.
Examples

Security header examples — correct configurations, common mistakes, and how to fix them

Real HTTP security header examples with explanations of what each value means
Grade A+Complete security header set — all headers correctly configured
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=()

All six key security headers are present and correctly configured. HSTS with preload ensures HTTPS forever. CSP restricts script sources. X-Frame-Options blocks clickjacking. nosniff stops MIME sniffing. Referrer-Policy limits URL leakage. Permissions-Policy restricts browser feature access. This configuration scores A+.

Missing CSPCommon mistake — site with no Content-Security-Policy header
❌ Content-Security-Policy: NOT SET ❌ X-Frame-Options: NOT SET ❌ X-Content-Type-Options: NOT SET Fix for Nginx — add inside server block: add_header Content-Security-Policy "default-src 'self'" always; add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always;

A site without these three headers is vulnerable to XSS injection, clickjacking attacks, and MIME sniffing. Adding them in a single Nginx server block takes under five minutes and immediately improves the grade from F to B or higher.

Server Info LeakVersion numbers exposed in Server and X-Powered-By headers
❌ Server: Apache/2.4.51 (Ubuntu) ❌ X-Powered-By: PHP/8.1.12 Fix for Apache (httpd.conf or .htaccess): ServerTokens Prod Header unset X-Powered-By Fix for PHP (php.ini): expose_php = Off

Exposing server software versions tells attackers exactly which CVEs to target. These are trivially removed — ServerTokens Prod in Apache, server_tokens off in Nginx, expose_php = Off in PHP. Takes 2 minutes and immediately reduces your attack surface.

FAQ

Frequently asked questions about HTTP security headers

Common questions about security headers, CSP, HSTS, and improving your website's security grade
What are HTTP security headers?
HTTP security headers are response headers that a web server sends to the browser to instruct it on how to behave when handling the site's content. They act as a second layer of defence against common attacks like cross-site scripting (XSS), clickjacking, MIME sniffing, and information leakage. Unlike application-level security, security headers are configured at the web server or CDN level and apply globally to every page served from that origin.
What is Content-Security-Policy (CSP)?
Content-Security-Policy (CSP) is one of the most powerful security headers available. It tells the browser which sources of scripts, styles, images, and other resources are allowed to load on the page. A strong CSP can completely prevent cross-site scripting (XSS) attacks by blocking injected scripts from executing. For example, a policy of 'default-src self' allows only resources from the same origin. Avoid using 'unsafe-inline' or 'unsafe-eval' as these significantly weaken the protection.
What is X-Frame-Options and why does it matter?
X-Frame-Options controls whether your page can be embedded in an iframe on another domain. Without it, an attacker can embed your page invisibly on top of a fake site and trick users into clicking buttons or entering credentials — a clickjacking attack. Setting X-Frame-Options: DENY prevents all framing. Modern browsers prefer the CSP frame-ancestors directive, but X-Frame-Options provides broader compatibility.
What does X-Content-Type-Options do?
X-Content-Type-Options: nosniff tells the browser not to guess the content type of a response. Without this header, browsers may interpret a text file as JavaScript if it looks like a script, which can be exploited to run injected content. This is one of the simplest security headers to add — a single line in your server config — and has no compatibility downsides.
What is Referrer-Policy?
Referrer-Policy controls how much referrer information is included when the user navigates away from your site. Without a policy, the full URL including query strings is sent to external sites, which can leak sensitive data like user IDs or session tokens. A policy of strict-origin-when-cross-origin sends only the origin to external sites while preserving the full referrer for same-origin requests.
What is Permissions-Policy?
Permissions-Policy (formerly Feature-Policy) controls which browser features and APIs can be used on your site — things like camera, microphone, geolocation, and payment. Restricting these to only what your site needs reduces the attack surface. For example: Permissions-Policy: camera=(), microphone=() disables camera and microphone access entirely.
What grade should my website have?
Aim for at least a B grade, ideally A or A+. An A+ means your site implements all recommended security headers correctly — CSP, HSTS with preloading, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. An A grade indicates strong security with minor gaps. B grades typically mean one or two headers are missing or misconfigured.
How do I add security headers to my website?
For Nginx, add security headers inside a server or location block with add_header directives. For Apache, use Header set in .htaccess or httpd.conf. For Cloudflare, use Transform Rules or the HTTP Response Headers feature. For Next.js, add them in next.config.js headers() function. After adding headers, re-run this scan to verify they are set correctly.
Related Security Tools

Need a disposable email address?Stop exposing your real inbox — get a free instant throwaway email with no signup and no trace.

Get Free Temp Mail →