What security headers should my website have?

At minimum: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Permissions-Policy is also recommended to restrict browser API access.

What is HSTS (Strict-Transport-Security)?

HSTS tells browsers to always use HTTPS for your domain, even if the user types HTTP. The recommended value is max-age=31536000; includeSubDomains; preload. Once set, browsers will refuse to connect via HTTP for the specified duration.

How do I add security headers to my website?

Add headers in your web server config: Nginx (add_header directive), Apache (.htaccess Header set), or your framework (Next.js headers in next.config.js, Express with helmet middleware). CDNs like Cloudflare can also add headers via Transform Rules.

HTTP Header Checker

Analyze HTTP response headers for any URL. Check security headers, caching configuration, CORS settings, and server information.

Essential HTTP Security Headers

These headers protect your website against common web attacks. Our checker verifies all 7 critical security headers.

Content-Security-Policy

The most powerful security header. Controls which resources can load on your page, effectively preventing XSS and data injection attacks.

default-src 'self'; script-src 'self' 'unsafe-inline'

Strict-Transport-Security

Forces HTTPS for all future visits. Once set, browsers will not connect via HTTP for the specified max-age duration.

max-age=31536000; includeSubDomains; preload

X-Frame-Options

Prevents your page from being embedded in iframes on other sites, blocking clickjacking attacks.

DENY

Permissions-Policy

Restricts which browser APIs (camera, microphone, geolocation) the page can access.

camera=(), microphone=(), geolocation=()

How to Add Security Headers

Nginx

add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache (.htaccess)

Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Next.js (next.config.js)

async headers() {
  return [{
    source: '/(.*)',
    headers: [
      { key: 'X-Frame-Options', value: 'DENY' },
      { key: 'X-Content-Type-Options', value: 'nosniff' },
    ],
  }]
}

Frequently Asked Questions

What are HTTP response headers?

HTTP response headers are metadata sent by a web server alongside the requested content. They provide instructions to the browser about caching, content type, security policies, encoding, and more. Properly configured headers are critical for both security and performance.

What security headers should every website have?

At minimum, every website should have: Content-Security-Policy (prevents XSS), Strict-Transport-Security (forces HTTPS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), and Referrer-Policy (controls referrer data). Permissions-Policy and X-XSS-Protection are also recommended.

What is Content-Security-Policy (CSP)?

CSP is the most important security header. It tells the browser which sources of content (scripts, styles, images, fonts) are allowed to load on your page. This effectively prevents cross-site scripting (XSS) attacks by blocking unauthorized scripts from executing.

What is HSTS and why is it important?

HSTS (HTTP Strict-Transport-Security) tells browsers to always use HTTPS. Once set with a max-age value, the browser will refuse HTTP connections for that duration. This prevents SSL stripping attacks and protocol downgrade attacks. Use "preload" to be included in browsers' built-in HSTS lists.

How do I check if my security headers are configured correctly?

Use our HTTP Header Checker tool above to scan your website. It checks all 7 critical security headers and shows which are present or missing. You can also check using browser DevTools (Network tab > click request > Headers section).

What is the Permissions-Policy header?

Permissions-Policy (formerly Feature-Policy) controls which browser features and APIs your page can access. For example, you can disable camera, microphone, and geolocation access to prevent malicious scripts from using these features. Syntax: camera=(), microphone=(), geolocation=().

Related Security Tools

Vulnerability Scanner

Full security audit with grading and recommendations

SSL Checker

Check SSL certificate validity and configuration

DNS Lookup

Query DNS records and verify domain configuration