HTTP · Website security · Headers

HTTP security headers

Check a website’s most important HTTP security headers. These headers help improve browser security, reduce browser-side risks and protect the site against common web security issues.

The check is performed against https://domain/. Enter only the domain, for example domain.com, without the https:// prefix.

Enter a domain and start the check.

Guide · HTTP security headers

What does this HTTP security headers check do?

The HTTP security headers check shows whether a website returns important browser security headers in its HTTPS response. These headers can tell browsers to use HTTPS, restrict where page resources may be loaded from, prevent content type sniffing and reduce risks related to frame embedding.

The check looks at the site’s HTTPS response and shows which checked headers were found, what values they contain and which settings should be reviewed.

HSTS

Strict-Transport-Security tells browsers to use the site only over HTTPS. It should be enabled only when HTTPS works reliably.

CSP

Content-Security-Policy limits where the browser may load scripts, styles, images and other resources from.

Referrer-Policy

Referrer-Policy controls how much referrer information the browser sends when the user navigates away from the site.

X-Content-Type-Options

X-Content-Type-Options: nosniff prevents browsers from guessing the content type of a file against the server’s declared type.

Why do HTTP security headers matter?

Security headers do not replace secure application code, but they are an important additional protection layer between the browser and the web service. When configured properly, they can help reduce the risk of XSS, clickjacking, mixed content and unnecessary information leakage.

Good HTTP security headers also indicate that browser-level protection has been considered in the site’s maintenance. They are especially important for sites that include logins, customer data, forms or administration panels.

How to interpret the result

A high score means that most of the checked headers were found in the site’s HTTPS response. However, the presence of a header alone is not always enough: the value must also fit the site. For example, a CSP that is too strict can break site functionality, while a CSP that is too loose may provide little protection.

If a header is missing, that does not always mean an immediate critical issue. The importance depends on the type of site. A public static page has a different risk profile than a service that handles logins, user data or payments.

Frequently asked questions

Can HSTS break a website?

Yes, if HTTPS is not working correctly on all required subdomains or services. HSTS should be enabled only when HTTPS works reliably.

Is Content-Security-Policy required?

CSP is not technically required, but it is one of the most important browser-level protections. It should be configured carefully based on the resources the site actually needs.

Are HTTP security headers enough to secure a website?

Not by themselves. They are an important additional layer, but the application code, server configuration, updates, permissions and TLS settings must also be secure.