HTTP Security Headers
Analyze the security headers a website sends.
HTTP security headers tell the browser how to protect your users against attacks like clickjacking, XSS or content sniffing. This tool fetches the site and checks which security headers are present, showing their value and a score.
Security headers FAQ
HSTS (Strict-Transport-Security) forces the browser to always connect to your domain over HTTPS, preventing attacks that try to downgrade the connection to HTTP. It's one of the most important security headers.
CSP defines which origins a site can load resources from (scripts, styles, images...). Well configured, it's the strongest defense against XSS attacks, since it blocks the execution of unauthorized code.
It prevents your site from being loaded inside an iframe on another site, protecting against clickjacking (tricking the user into clicking something they can't see). Today it can also be achieved with CSP's frame-ancestors directive.
No: they are an important layer of defense in depth, but real security also depends on the code, authentication, dependencies and server configuration. This tool only evaluates the response headers.
Ready to improve your DNS?
Choose the best free DNS server for your needs and configure it in minutes.