SERPInsight

Security Headers Checker

Protect your visitors from XSS, Clickjacking, and other attacks. Our scanner analyzes your HTTP response headers and provides a graded security report card.

Scans for HSTS, CSP, X-Frame-Options, Permissions-Policy, and more.

The SERPInsight Security Headers Checker

HTTP headers are the hidden "instructions" your server sends to a browser before any website content loads. They act as the first line of defense, telling the browser exactly what is allowed and what is forbidden.

Without these headers, browsers default to "permissive" settings, leaving your users vulnerable to attacks like Cross-Site Scripting (XSS), Clickjacking, and Protocol Downgrade attacks. Our tool checks if you are correctly implementing these modern security standards.

How our tool works

  • 1

    Input Target URL

    Enter your domain. We automatically normalize it and handle protocol selection (HTTP/HTTPS).

  • 2

    Server Response Analysis

    We perform a HEAD request to fetch the raw response headers without downloading the full page body, ensuring maximum speed.

  • 3

    Scoring & Grading

    We check for the presence and validity of critical headers (HSTS, CSP, X-Frame) and assign a letter grade (A-F).

Understanding Security Metrics

HSTS

Strict-Transport-Security forces browsers to communicate only via HTTPS, preventing man-in-the-middle downgrade attacks.

CSP

Content-Security-Policy is the ultimate defense against XSS. It whitelists trusted sources for scripts, styles, and images.

X-Frame

X-Frame-Options prevents your site from being embedded in iframes on other sites, stopping Clickjacking attacks.

MIME Sniffing

X-Content-Type-Options stops the browser from "guessing" file types, preventing hackers from disguising malicious scripts as images.

Referrer Policy

Referrer-Policy controls how much information is included in the 'Referer' header when users click links leaving your site.

Permissions

Permissions-Policy allows you to explicitly disable browser features you don't use, like the camera, microphone, or geolocation.

How We Calculate Your Grade

Our algorithm assigns points based on the security impact of each header.

Grading Tiers
A
Score 85 - 100
Ironclad security. Includes HSTS, CSP, and all standard headers.
B
Score 65 - 84
Strong protection. Usually implies CSP is present, or perfect basics + HSTS.
C
Score 50 - 64
Standard protection. Contains basic headers (X-Frame, X-Content) but missing powerful policies.
D
Score 30 - 49
Weak protection. Missing multiple critical headers. High vulnerability risk.
F
Score 0 - 29
No protection detected. Your site is exposed to almost all client-side attacks.

Scoring Weights

  • Strict-Transport-Security (HSTS) +20 pts
  • Content-Security-Policy (CSP) +20 pts
  • X-Frame-Options +20 pts
  • X-Content-Type-Options +20 pts
  • Referrer-Policy +10 pts
  • Permissions-Policy +10 pts

Pro Tip: To get an A Grade, you typically need HSTS, CSP, and X-Frame-Options enabled simultaneously. Missing any one of the "Big 3" will usually cap your grade at B or C.

Frequently Asked Questions

How do I fix a missing header?
Headers are set in your web server configuration.
Apache: Use the .htaccess file (e.g., Header set X-Frame-Options "SAMEORIGIN").
Nginx: Add directives to your nginx.conf (e.g., add_header X-Frame-Options "SAMEORIGIN";).
Cloudflare: You can use "Transform Rules" to inject headers at the edge.
Does a bad security grade affect SEO?
While headers like HSTS or CSP aren't direct "ranking factors" like page speed, security is a prerequisite for user trust. Browsers are increasingly blocking insecure features. Additionally, HSTS is required to be included in the browser's "HSTS Preload List," which is a strong signal of a high-quality site.
What is the most important header?
Strict-Transport-Security (HSTS) is widely considered the most critical for modern web security because it enforces the use of HTTPS. Content-Security-Policy (CSP) is a close second, offering the best protection against script injection attacks.

Why use our Security Headers Checker?

Professional-grade diagnostics for serious SEOs.

Smart Grading Algorithm

We don't just count headers; we weight them by importance. Missing HSTS hurts your score more than missing a Referrer-Policy.

Instant Analysis

By using efficient HEAD requests, our tool retrieves header data in milliseconds, making it perfect for bulk auditing.

Actionable Advice

We provide clear, one-sentence explanations for every missing header so you know exactly what risk you are mitigating.

Private & Secure

We process the scan in real-time and do not store your data or crawl history. Your analysis remains completely private.

Recommended SEO Tools

Explore other free utilities to optimize your workflow.

SECURITY

Scan secure HTTPS pages for insecure HTTP resources (images, scripts, styles) that cause 'Mixed Content' warnings.

Open Tool
SECURITY

SPF & DMARC Checker

Verify your domain's DNS TXT records, validate SPF, and check DMARC alignment for secure email deliverability.

Open Tool
SECURITY

Analyze the SSL certificate configuration, protocol support, and cipher strength to determine the security grade of the server.

Open Tool
ON-PAGE SEO

Anchor Text Extractor

Analyze anchor text: a powerful, user-friendly tool designed to pull out all external and internal links along with their corresponding anchor texts from any web page.

Open Tool
View All Tools