Free Security Headers Checker
Paste your site's URL and instantly see which HTTP security headers you're missing, what each one protects against, and how your setup grades out.
What are HTTP security headers?
HTTP security headers are response headers your server sends with every page. They tell the browser how to behave: which connections to trust, what scripts to run, whether the page can be framed. Configured well, they shut down entire classes of attack (XSS, clickjacking, protocol downgrade) before they start. Missing or misconfigured, they leave the door open. They're one of the cheapest, highest-impact security wins for any web app, and most apps ship without them.
The headers this tool checks
Strict-Transport-Security (HSTS)Forces browsers to use HTTPS, preventing attackers from downgrading the connection to plain HTTP and intercepting traffic.
Content-Security-Policy (CSP)Controls which scripts and resources can load, the single strongest defense against cross-site scripting (XSS).
X-Content-Type-OptionsStops browsers from MIME-sniffing responses, which can turn a harmless upload into an executable script.
X-Frame-OptionsPrevents your page from being embedded in an iframe on another site, blocking clickjacking attacks.
Referrer-PolicyLimits how much referrer information leaks to third-party sites when users click outbound links.
Permissions-PolicyRestricts which browser features (camera, mic, geolocation) your site and its embeds can use.
Headers are the start, not the whole picture
Security headers protect against a specific set of browser-side attacks, but they won't catch a leaked API key in your JavaScript bundle, an exposed .env file, a route missing authentication, or a vulnerable dependency. DeploySafe's full website security scanner checks all of those by probing your live app the way an attacker would, then hands you a copy-paste fix for each finding.