Free tool. No login required.
Analyzing headers for ...
GuardPress Pro adds all missing security headers with one click. No server configuration needed.
Get GuardPress ProUnderstanding what each header does helps you prioritize implementation. Here's a breakdown of every header we check.
The most powerful security header. CSP tells the browser which sources are allowed to load scripts, styles, images, and other resources. According to Google's security team, implementing CSP reduces XSS vulnerabilities by up to 90%. For example, setting Content-Security-Policy: default-src 'self' restricts all resources to your own domain — blocking inline scripts and third-party injections.
Forces browsers to use HTTPS for all future requests to your domain, preventing protocol downgrade attacks and cookie hijacking. Sites on the HSTS preload list (hstspreload.org) force HTTPS at the browser level — no initial HTTP request needed. As of 2025, over 300,000 domains are on the preload list. Set max-age=31536000; includeSubDomains; preload for maximum protection.
Prevents your site from being embedded in iframes on other domains, blocking clickjacking attacks. Clickjacking remains in the OWASP Top 10 (2025). Set to DENY or SAMEORIGIN. The newer CSP frame-ancestors directive offers more granular control.
Setting this to nosniff prevents browsers from MIME-type sniffing, which stops attackers from disguising executable files as innocent content types. For example, without this header, a browser might interpret a malicious .txt file uploaded to your server as executable JavaScript.
Controls how much referrer information is sent when navigating away from your site. strict-origin-when-cross-origin is the recommended setting — it shares the origin for cross-site requests but full URL for same-site navigation.
Restricts which browser features (camera, microphone, geolocation, payment) your site can access. Disabling unused features prevents malicious scripts from exploiting these APIs.
A legacy header that activates the browser's built-in XSS filter. While modern browsers rely on CSP instead, setting 1; mode=block provides defense-in-depth for older browsers.
Cross-Origin-Embedder-Policy (COEP) and Cross-Origin-Opener-Policy (COOP) isolate your page from cross-origin resources, preventing Spectre-style side-channel attacks. These are newer headers that provide advanced isolation.
"Security headers are the cheapest security improvement you can make. They cost nothing, take minutes to implement, and protect against some of the most common attacks on the web."
— Scott Helme, Security Researcher & Founder of SecurityHeaders.com
In our security audits of WordPress sites, we've found that fewer than 15% have all 8 recommended security headers configured. Here's how adoption looks across the top 1 million websites:
| Header | Adoption Rate (Top 1M Sites) | Protection Against |
|---|---|---|
| Content-Security-Policy | 12.8% | XSS, code injection |
| Strict-Transport-Security | 25.1% | Protocol downgrade, MITM |
| X-Frame-Options | 29.5% | Clickjacking |
| X-Content-Type-Options | 37.2% | MIME type sniffing |
| Referrer-Policy | 14.3% | Information leakage |
| Permissions-Policy | 3.8% | Feature abuse (camera, mic) |
Source: Scott Helme's Security Headers Report, 2025
Related tools: SSL Certificate Checker · WordPress Security Scanner · Hardening Checklist
How Cloudflare WAF rules silently break MCP connections and how to fix it.
SecurityWhitelist legitimate services without weakening your security posture.
SecurityStep-by-step cleanup when your WordPress site has been compromised.
HTTP security headers are special response headers that your web server sends to the browser along with your page content. They instruct the browser on how to behave when handling your site's data -- for example, whether to allow embedding in iframes, which scripts can run, whether to enforce HTTPS, and more. They serve as a critical second line of defense against common web attacks like cross-site scripting (XSS), clickjacking, MIME-type sniffing, and protocol downgrade attacks.
Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS) are the two most critical headers. CSP prevents cross-site scripting attacks by controlling exactly which resources the browser is allowed to load on your page. HSTS forces browsers to always use HTTPS, preventing man-in-the-middle attacks and cookie hijacking. Together they account for nearly half of the overall security header score. X-Frame-Options (clickjacking protection) and X-Content-Type-Options (MIME sniffing prevention) are also high priority.
There are several ways to add security headers. You can configure them at the server level via Apache .htaccess rules or Nginx config blocks. Many CDN providers like Cloudflare and Fastly also let you set headers in their dashboard. For WordPress sites, the easiest approach is a security plugin like GuardPress Pro that adds all missing headers automatically with one click -- no server access or manual configuration required.
Yes, this HTTP security headers checker is completely free to use with no limits on the number of scans. No login, account, or credit card is required. Simply enter any URL and get instant results with a detailed grade, per-header analysis, and actionable recommendations to improve your security posture.