AuditCoreAuditCore
HTTP security headers · 10 critical checks

Free security
headers checker

Test 10 HTTP security headers against 2026 best practice — HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy and more. Get exact fix code per missing header. No signup.

Free tool · No signup · No credit card · Results in 60 seconds

Why HTTP security headers matter

Most production sites in 2026 still ship without proper security headers — and most of those gaps are exploitable. A missing Content-Security-Policy turns one stored XSS into account takeover. A missing X-Frame-Options enables clickjacking and 1-click phishing. A weak HSTS configuration leaves you vulnerable to first-visit downgrade attacks on hostile networks. The good news: every header below is a single config-line fix in nginx, Caddy, Cloudflare or Next.js middleware.

78%

of websites are missing at least 3 critical security headers — based on aggregated OWASP Secure Headers data.

10s

average time it takes our checker to test all 10 headers and return a graded report card.

$0

cost. Free, no signup. The full audit (50+ scanners) is also free for one homepage.

The 10 headers we test

Each is a separate test with its own pass criteria. We don't just check presence — we validate the value against the OWASP recommended profile.

Strict-Transport-Security (HSTS)

Validates max-age (≥1 year), includeSubDomains and preload directives. We also flag sites missing HSTS entirely — those are vulnerable to first-visit MITM downgrade attacks.

critical

Content-Security-Policy (CSP)

Parses your CSP and checks for unsafe-inline/unsafe-eval, missing default-src, wildcard sources and known CSP-bypass gadgets. We don't just say 'present' — we say if it's actually protecting you.

high

X-Frame-Options / frame-ancestors

Either header (or CSP frame-ancestors) protects against clickjacking. Many sites set X-Frame-Options but forget the modern frame-ancestors directive in CSP.

high

Referrer-Policy

Loose policies (no-referrer-when-downgrade, default) leak full URLs incl. query strings to third parties. We recommend strict-origin-when-cross-origin minimum.

medium

Permissions-Policy

Replaces deprecated Feature-Policy. Disables camera, microphone, geolocation, payment, USB and 12 other powerful APIs by default.

medium

X-Content-Type-Options: nosniff

Prevents MIME-sniffing attacks. Without it, a PNG upload that contains JavaScript can be executed as a script in some browsers.

medium

Cross-Origin-Opener-Policy (COOP)

Required for cross-origin isolation. Without it, you're vulnerable to side-channel attacks like Spectre and to opener-based phishing.

medium

Cross-Origin-Embedder-Policy (COEP)

Pairs with COOP. Required if you want to use SharedArrayBuffer or measure high-resolution timers safely.

low

Server / X-Powered-By disclosure

Headers like Server: Apache/2.4.41 (Ubuntu) tell attackers exactly what CVEs to throw at you. We flag any version-revealing headers.

low

Cache-Control on sensitive pages

/login, /dashboard, /account pages without Cache-Control: no-store can leak session-scoped HTML to shared caches and proxies.

medium

How the checker works

We make a single HTTPS GET request to the URL you submit, follow up to 3 redirects, and record every response header at each hop. Headers are checked at the FINAL hop — that's the one a real browser will see and trust.

For each header we don't just check existence: we parse the value, validate against the OWASP Secure Headers Project's recommended profile (updated quarterly), and grade it from A (compliant) to F (missing or actively harmful). The total score is calculated as a weighted average — critical-severity headers count more than low-severity ones.

The full AuditCore audit goes much further: we also test the same headers under different conditions (logged in vs logged out, with vs without cookies, under different User-Agent strings) to detect inconsistent header policies — a class of misconfigurations free checkers can't see.

FAQ

Frequently asked questions

Is this checker free? Do I need to sign up?+

Yes, completely free. No account, no email, no credit card. You paste a URL, get a report, optionally download a PDF.

What URL should I test? Just the homepage?+

The homepage is a good start, but security headers can vary per route. We recommend testing your login page, your API endpoints, and any page that handles sensitive data — those are where weak headers hurt the most. The full AuditCore audit (free for one page) tests headers consistently across your whole site.

Why did my site fail X-Powered-By?+

If your server or framework is leaking version information (e.g. X-Powered-By: PHP/7.4.0), attackers can map known CVEs directly to your stack. Remove or rewrite that header — in nginx use `more_clear_headers 'X-Powered-By';`, in Express use `app.disable('x-powered-by')`.

Is HSTS preloading actually safe to enable?+

Preloading commits your domain to HTTPS-only forever — removing it from the preload list takes weeks. Don't preload until you're confident every subdomain serves HTTPS. We flag sites missing the preload directive but only as 'medium' severity for that reason.

I have CSP but it includes unsafe-inline. Is that OK?+

It's better than no CSP, but unsafe-inline largely defeats the purpose — it's specifically the directive that lets injected scripts execute. Migrate to nonce- or hash-based inline policies, or move all inline scripts to external files. Our checker flags this as a partial fail.

Can I rerun the test after fixing my headers?+

Yes, unlimited times. We don't cache results — every check is a live request. We also run no JavaScript and don't store your URL or response body.

Do you check headers on subdomains?+

The free tool tests one URL at a time. Run it once per subdomain. If you want a full crawl across your whole site (and 47+ other security checks), the Free Trial covers your homepage and the Starter tier ($29) covers up to 25 pages with unlimited rescans.

What's the difference between this and securityheaders.com?+

securityheaders.com is excellent for the basics. AuditCore goes further: we test under multiple conditions (logged in / logged out / different UA), validate CSP for actual XSS-protection (not just presence), check for inconsistencies between routes, and integrate header checks into a wider 50+ scanner audit. We also generate fix code in your stack (nginx, Caddy, Cloudflare Workers, Next.js middleware).

Are HTTP headers all I need to be secure?+

No — they're table stakes. They protect against entire CLASSES of attacks (XSS, clickjacking, downgrade) but not against application-level flaws like SQL injection, broken auth, BOLA or business-logic bugs. Our full audit covers all of those.

Related free tools

SSL / TLS Checker

Test cert validity, deprecated protocols, weak ciphers and HSTS preload status.

Try it free

DMARC Checker

Inspect SPF, DKIM and DMARC records — the email-side of brand security.

Try it free

WordPress Security Scanner

11 WP-specific tests if you're on WordPress — beyond just headers.

Try it free

Run a complete audit, not just one check

The free tool above checks one dimension. Our full audit runs 50+ scanners across security, SEO and AI-readiness in one report. Free Trial gives you the full stack on your homepage — no credit card.