Free Security Headers Checker - CSP, HSTS, X-Frame-Options & More

Security Headers Checker

Analyze your website's security headers for vulnerabilities and compliance with OWASP security best practices.

OWASP Security Verified
Check Website Security Headers

Analyzing Security Headers...

Checking CSP, HSTS, X-Frame-Options and other security protocols.

Initializing security scan...
Security Headers Score
0
Security Analysis
Based on OWASP security headers recommendations and industry best practices.
0
Passed Headers
0
Failed Headers
0
Warnings
12
Total Checked
Scores above 80 are good, above 90 are excellent. Aim for 100.
Security Headers Analysis
Implementation Guide
# Add to your .htaccess file or Apache configuration # ================================================ # Content Security Policy Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" # Strict Transport Security Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # X-Frame-Options Header set X-Frame-Options "SAMEORIGIN" # X-Content-Type-Options Header set X-Content-Type-Options "nosniff" # Referrer Policy Header set Referrer-Policy "strict-origin-when-cross-origin" # X-XSS-Protection (legacy but useful) Header set X-XSS-Protection "1; mode=block" # Permissions Policy Header set Permissions-Policy "camera=(), microphone=(), geolocation=()" # Remove server signature ServerSignature Off Header unset X-Powered-By
# Add to your server block in nginx.conf # ===================================== add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header X-XSS-Protection "1; mode=block" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; # Hide server version server_tokens off;
# Using Cloudflare Transform Rules or Page Rules # ============================================== // Create a Transform Rule with these headers: // 1. Go to Rules → Transform Rules // 2. Create "Modify response header" rule Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin X-XSS-Protection: 1; mode=block Permissions-Policy: camera=(), microphone=(), geolocation=() // Or use Cloudflare Workers: async function addSecurityHeaders(request) { let response = await fetch(request); let newHeaders = new Headers(response.headers); newHeaders.set("Content-Security-Policy", "default-src 'self'; script-src 'self'"); newHeaders.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); // ... add other headers return new Response(response.body, { status: response.status, statusText: response.statusText, headers: newHeaders }); }
// Add to your theme's functions.php file // ====================================== function add_security_headers() { header("Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com"); header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"); header("X-Frame-Options: SAMEORIGIN"); header("X-Content-Type-Options: nosniff"); header("Referrer-Policy: strict-origin-when-cross-origin"); header("X-XSS-Protection: 1; mode=block"); header("Permissions-Policy: camera=(), microphone=(), geolocation=()"); } add_action('send_headers', 'add_security_headers'); // OR use a WordPress plugin: // 1. Security Headers (Free) // 2. HTTP Headers (Premium) // 3. Really Simple SSL (Includes security headers) // Remove WordPress version info remove_action('wp_head', 'wp_generator'); add_filter('the_generator', '__return_empty_string');
// Using Express.js with Helmet middleware // ======================================== const express = require('express'); const helmet = require('helmet'); const app = express(); // Use Helmet with custom configuration app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "https://trusted.cdn.com"], styleSrc: ["'self'", "'unsafe-inline'"], imgSrc: ["'self'", "data:", "https:"], }, }, hsts: { maxAge: 31536000, includeSubDomains: true, preload: true }, frameguard: { action: 'sameorigin' }, referrerPolicy: { policy: 'strict-origin-when-cross-origin' }, permittedCrossDomainPolicies: { permittedPolicies: 'none' }, xssFilter: true, noSniff: true, hidePoweredBy: true })); // Additional custom headers app.use((req, res, next) => { res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()'); next(); }); app.listen(3000, () => { console.log('Server running with security headers'); });
Security Best Practices
Regular Testing
Test your security headers monthly and after every deployment. Use automated monitoring tools.
HSTS Preload List
Submit your domain to the HSTS preload list for maximum protection. This ensures browsers always use HTTPS.
CSP Reporting
Enable CSP reporting to detect violations: report-uri /csp-report-endpoint
Mobile Apps
Implement security headers in mobile app backends and APIs. Use CORS headers properly.

Why Security Headers Are Critical for Web Security

Security headers are HTTP response headers that instruct browsers how to behave when handling your website's content. They provide an additional layer of protection against common web vulnerabilities like Cross-Site Scripting (XSS), clickjacking, MIME sniffing attacks, and data leakage.

According to OWASP (Open Web Application Security Project), proper implementation of security headers can prevent over 70% of common web attacks. The absence of critical security headers is a frequent finding in security audits and penetration tests.

Detailed Analysis of Each Security Header

1. Content-Security-Policy (CSP) - The Most Important Header

Purpose: Prevents Cross-Site Scripting (XSS) and data injection attacks by specifying which content sources are trusted.

Implementation Levels:

Common Mistakes: Too restrictive CSP breaking functionality, missing report-uri, allowing unsafe-inline or unsafe-eval without proper justification.

2. Strict-Transport-Security (HSTS) - HTTPS Enforcement

Purpose: Forces browsers to use HTTPS only, preventing SSL stripping attacks and protocol downgrades.

Optimal Configuration:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Parameters Explained:

Warning: Once implemented, removing HSTS can be difficult. Start with shorter max-age for testing.

3. X-Frame-Options - Clickjacking Protection

Purpose: Prevents your site from being loaded in frames, which protects against clickjacking attacks.

Options:

Modern Alternative: Use CSP's frame-ancestors directive which offers more flexibility.

4. X-Content-Type-Options - MIME Sniffing Prevention

Purpose: Prevents browsers from MIME-sniffing a response away from the declared content-type.

Simple but Critical: Just set it to nosniff. This prevents attacks where attackers upload malicious files with incorrect MIME types.

5. Referrer-Policy - Privacy Protection

Purpose: Controls how much referrer information is sent with requests.

Recommended Policy: strict-origin-when-cross-origin

6. Permissions-Policy (formerly Feature-Policy)

Purpose: Controls which browser features and APIs can be used.

Example: camera=(), microphone=(), geolocation=() disables these features by default unless explicitly allowed.

Security Headers Scoring Methodology

Our scoring system (0-100) is based on OWASP recommendations and industry best practices:

Header Weight Points Description
Content-Security-Policy 25% 0-25 Critical for XSS protection
Strict-Transport-Security 20% 0-20 Essential for HTTPS enforcement
X-Frame-Options 15% 0-15 Clickjacking prevention
X-Content-Type-Options 10% 0-10 MIME sniffing prevention
Referrer-Policy 10% 0-10 Privacy protection
Other Headers 20% 0-20 X-XSS-Protection, Permissions-Policy, etc.

Common Security Header Implementation Issues

1. CSP Breaking Website Functionality

Problem: Overly restrictive CSP blocks legitimate scripts, styles, or fonts.

Solution: Implement CSP in report-only mode first: Content-Security-Policy-Report-Only. Monitor violations, then deploy the actual policy.

2. HSTS Configuration Errors

Problem: Setting HSTS on HTTP site or incorrect max-age values.

Solution: Always implement HTTPS first. Start with max-age=300 (5 minutes) for testing, then increase to 31536000 (1 year).

3. Missing Subdomain Coverage

Problem: HSTS or CSP not applied to all subdomains.

Solution: Use includeSubDomains directive and test all subdomains.

4. Server Information Disclosure

Problem: Server headers revealing software versions and configurations.

Solution: Remove or obfuscate Server, X-Powered-By, and X-AspNet-Version headers.

Industry Compliance Standards

Proper security headers implementation helps meet various compliance requirements:

PCI DSS
Requirement 6.5: Address common coding vulnerabilities
GDPR
Data protection by design and by default
ISO 27001
Information security controls
NIST CSF
Protect function (PR.AC-3)

Frequently Asked Questions (FAQ)

What is the difference between security headers and SSL/TLS certificates?

SSL/TLS certificates encrypt data in transit between the browser and server. Security headers control browser behavior and provide additional security protections. They work together: SSL provides encryption, while security headers like HSTS enforce SSL usage and CSP prevents XSS attacks even over encrypted connections.

Can security headers be bypassed or exploited?

While security headers significantly improve security, they are not foolproof. Attackers can sometimes bypass weak CSP configurations or exploit misconfigurations. However, properly configured security headers make attacks much more difficult and are considered essential for web application security.

Should I use both X-Frame-Options and CSP frame-ancestors?

Yes, for maximum compatibility. Modern browsers that support CSP will use frame-ancestors and ignore X-Frame-Options. Older browsers will use X-Frame-Options. Set both with consistent policies: X-Frame-Options: SAMEORIGIN and frame-ancestors 'self' in CSP.

How do I test if my CSP is working correctly?

Use multiple methods:

  1. Deploy CSP in report-only mode first
  2. Monitor browser console for violations
  3. Use CSP evaluator tools online
  4. Test with different browsers
  5. Check CSP violation reports if report-uri is configured
Fix all violations before switching to enforcement mode.