Security Headers
Fetches a URL and scores its HTTP security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Highlights missing or weak headers with recommendations.
Frequently asked questions
- Which headers matter most?
- HSTS forces HTTPS, Content-Security-Policy blocks XSS, X-Frame-Options blocks clickjacking, and X-Content-Type-Options blocks MIME sniffing. Missing any of these is a common vulnerability.
- Does my framework set these automatically?
- Usually no. Express, Django, and Rails require explicit configuration. Use helmet (Node), django-secure, or rack-protection. Cloudflare and Vercel offer one-click toggles.
- Can strict headers break my site?
- Yes. An overly strict CSP blocks inline scripts and third-party analytics. Test in report-only mode first, fix violations, then enforce.