Free Security Headers Analyzer
Analyze your HTTP security headers and get recommendations to improve protection
Content Security Policy
Prevent XSS and data injection by controlling which resources can be loaded.
HSTS
Force browsers to always use HTTPS, preventing protocol downgrade attacks.
X-Frame-Options
Protect against clickjacking by controlling if your site can be embedded.
Copy-Paste Fixes
Get ready-to-use configuration snippets for Nginx, Apache, and Express.js.
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are directives sent by web servers to browsers that help protect against common attacks like XSS, clickjacking, and man-in-the-middle attacks. Key headers include Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
How do I add security headers to my website?
Security headers are configured in your web server (Nginx, Apache) or application framework (Express, Django). Our analyzer provides copy-paste code snippets for each platform. For Nginx, add headers in your server block. For Apache, use Header directives. For Express, use the helmet middleware.
What is a good security headers grade?
An A+ grade means all critical security headers are properly configured. We recommend at minimum implementing HSTS, X-Frame-Options, X-Content-Type-Options, and a basic Content-Security-Policy. Most websites can achieve an A grade with 15-30 minutes of configuration.
What is Content-Security-Policy (CSP)?
CSP is a security header that controls which resources can be loaded on your page. It prevents XSS attacks by specifying trusted sources for scripts, styles, images, and other content. While CSP can be complex to configure, it's one of the most effective defenses against XSS.