Security Check

Free HTTP Security Headers Check

Check your website HTTP security headers — CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy — and get a Mozilla Observatory-equivalent grade with specific recommendations.

Check security headers

What's Checked

  • Mozilla Observatory equivalent grade
  • Content-Security-Policy presence and strength
  • Strict-Transport-Security header check
  • X-Frame-Options / frame-ancestors check
  • X-Content-Type-Options check
  • Referrer-Policy assessment
  • Permissions-Policy check
  • Per-header remediation guidance

Common Questions

What are HTTP security headers?
HTTP security headers are instructions your web server sends to browsers alongside page content. They control what scripts can run, whether the page can be embedded in iframes, whether to enforce HTTPS, and how much information to share in the Referer header. They protect against XSS, clickjacking, SSL stripping, and data leakage.
Which security header is most important?
HSTS (Strict-Transport-Security) is the most universally impactful — it prevents SSL stripping attacks. Content-Security-Policy is the most powerful XSS defence but also the most complex to implement. Start with HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy — these are quick to add and high impact.
Will adding security headers break my website?
HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy are safe to add without impacting functionality for most sites. Content-Security-Policy is more complex — use CSP report-only mode to identify issues before enforcing. HSTS with includeSubDomains requires all subdomains to support HTTPS first.

Run a free domain security scan

VP Shield checks DNS, TLS, email authentication, security headers, and subdomain takeover risk for any domain. Free, no login, two minutes.

Check security headersBook a strategy call

Related Services