View every response header for any URL. Get a security header grade, plain-English explanations, and the full raw header dump.
We fetch the response headers and audit all 7 critical security headers, caching, CORS, server info, and show a full raw dump.
These 7 headers significantly improve your site's security posture. Missing any of them is flagged in the audit above.
Strict-Transport-Security forces browsers to always use HTTPS for your domain — even if a user types "http://". Prevents SSL-stripping attacks.
Content-Security-Policy tells the browser which scripts, styles, and resources are allowed to load. The most powerful XSS defence available.
Prevents your page from being embedded in an iframe on a malicious site — protects users from clickjacking attacks. Use DENY or SAMEORIGIN.
Setting this to nosniff stops browsers from guessing a file's MIME type. Prevents attackers from tricking browsers into running scripts disguised as images.