Home About Support Blog Ask AI
Dashboards +
On-Page SEO +
Technical SEO +
SERP & Content +
Local SEO +
Get the Chrome Extension
Free Security Tool

Security Headers Checker

Analyze HTTP security headers, server configuration, and redirect chain for any URL. Get a security score with actionable recommendations.

Last updated: March 2026

What this security headers checker tests

A security headers checker catches the easiest exploits to prevent, and the ones sites forget most often. No HSTS? Users can be downgraded to HTTP. No CSP? You're wide open to XSS. No X-Frame-Options? Your pages can be embedded in phishing iframes.

This HSTS checker and CSP checker sends a HEAD request and audits 10 security headers, each weighted by real-world impact. CSP and HSTS count the most because they block the most common attack vectors. You also get server info, detected technologies, and a 0-100 security score with specific fix recommendations for every missing header.

What are security headers and why they matter

Security headers are HTTP response headers that tell the browser how to handle your site's content safely. They enforce HTTPS, block cross-origin framing, control script sources, and set referrer policy. Unlike most SEO issues, missing security headers don't slow your site down or hurt rankings directly. What they hurt is user trust and your audit scores with any security scanner.

Most common security header mistakes

The same gaps show up on most sites I audit. HSTS set without a long max-age or without includeSubDomains, which voids most of its protection. A CSP that allows 'unsafe-inline' for scripts, which defeats the whole point of having a CSP. X-Content-Type-Options missing entirely, leaving MIME sniffing wide open. And the most common: no Content-Security-Policy at all because "it broke the site" and nobody went back to fix it properly.

OWASP recommendations for HTTP security headers

OWASP is the authoritative source for HTTP security header guidance. The OWASP Secure Headers Project maintains a reference list with recommended values for each header. The top five that almost every site should set: Strict-Transport-Security with a max-age of at least a year, Content-Security-Policy with a strict source whitelist, X-Content-Type-Options: nosniff, X-Frame-Options: DENY or SAMEORIGIN, and Referrer-Policy: strict-origin-when-cross-origin. Set those five correctly and you've covered the majority of what OWASP actually asks for. Everything else is optional fine-tuning.

Explore more tools

Tech Stack Detector

Detect 467 technologies on any site.

Meta Tag Analyzer

Full meta tag audit for any URL.

Crawler Access Checker

Check AI & search crawler access.

PageSpeed Insights

Full Lighthouse audit with Core Web Vitals.

Redirect Checker

Trace full redirect chains with status codes.

FAQ

What is HSTS?+
HTTP Strict Transport Security tells browsers to only connect via HTTPS. Without it, users could be redirected to an insecure HTTP version of your site.
What is Content-Security-Policy?+
CSP controls which resources (scripts, styles, images) can be loaded on your page. It is the most important defense against XSS attacks.
What score should I aim for?+
A score of 80+ is good. 90+ is excellent. Focus on HSTS, CSP, and X-Content-Type-Options first. These provide the biggest security improvements.
Do security headers affect SEO?+
Indirectly, yes. Google considers HTTPS a ranking signal, and HSTS enforces HTTPS. Sites flagged as insecure by browsers also see higher bounce rates, which can hurt rankings. Strong security headers build user trust and protect your site's reputation.
What is the most important security header?+
Content-Security-Policy (CSP) is widely considered the most important because it prevents cross-site scripting (XSS) attacks. HSTS is a close second as it forces secure HTTPS connections.
Security headers on every page

Lumina checks HTTP status, security headers, and server info automatically — for free.

Add Lumina to Chrome — Free