Secure Headers Checker
Check which security headers your site should have and generate them
Result
Security Grade
F
Headers Present0 / 8 headers present
Coverage0%
Missing Headers
Strict-Transport-Security [Critical] - Forces HTTPS connections, prevents downgrade attacks
X-Frame-Options [High] - Prevents clickjacking by blocking iframing
Content-Security-Policy [Critical] - Prevents XSS, injection, and data theft attacks
X-Content-Type-Options [High] - Prevents MIME-type sniffing attacks
Referrer-Policy [Medium] - Controls referrer information leakage
Permissions-Policy [Medium] - Restricts browser feature access
X-XSS-Protection [Low] - Legacy XSS filter (CSP is preferred)
CORS Headers [Varies] - Controls cross-origin resource sharingRecommended Values
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
X-XSS-Protection: 0 (use CSP instead)
CORS Headers: Depends on API needs