HTTP Security Headers Analyzer
Paste raw HTTP headers to check HSTS, CSP, X-Frame-Options, and more against OWASP best practices. Get a security grade and fix snippets.
Frequently Asked Questions
What are HTTP security headers?
HTTP security headers are response headers that instruct browsers how to behave when handling your website's content. They form a critical layer of defense against common web attacks like XSS, clickjacking, MIME-sniffing, and data injection. They are set on the server and sent with every response.
What is the most important security header?
Content-Security-Policy (CSP) is generally considered the most impactful, as it can prevent or severely limit XSS attacks by controlling which scripts, styles, and resources the browser is allowed to load. Strict-Transport-Security (HSTS) is also critical for any HTTPS site to prevent protocol downgrade attacks.
Why is Content-Security-Policy hard to implement?
CSP requires you to explicitly allowlist every source of scripts, styles, images, and other resources your page uses. Inline scripts and styles must be refactored or given nonces/hashes. Third-party dependencies (analytics, fonts, CDNs) must all be added to the policy. Starting with a report-only policy (Content-Security-Policy-Report-Only) helps you audit violations before enforcing.
Does having these headers improve my SEO?
Security headers do not directly affect Google's ranking algorithm. However, HTTPS (enforced by HSTS) is a ranking signal, and a more secure site reduces the risk of malware injection or phishing pages that could lead to Google blocklisting. Core Web Vitals and site availability matter more for SEO.
What does the A+ grade mean?
An A+ grade means your site scored 90 or above out of 100, indicating all key security headers are present and configured correctly. The score is weighted: CSP is worth 20 points, HSTS and X-Frame-Options are worth 15 each, and the remaining headers contribute 5–10 points each.