HTTP security headers are among the most impactful and underutilised security improvements you can make to any website. A single nginx config change or a one-line Apache directive can protect your users from XSS attacks, clickjacking, protocol downgrade attacks, and data leakage — often in under five minutes. Yet the majority of websites on the internet still fail to set them correctly.
The 6 Security Headers Every Site Should Have
1. Strict-Transport-Security (HSTS)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Forces browsers to use HTTPS for the next year. Prevents protocol downgrade attacks and cookie hijacking. The most critical header for any HTTPS site.
2. Content-Security-Policy (CSP)
Content-Security-Policy: default-src 'self'
Controls which resources (scripts, styles, images) can load on your page. Prevents XSS by blocking inline scripts and external resource injection.
3. X-Content-Type-Options
X-Content-Type-Options: nosniff
Prevents browsers from guessing the content type. Stops MIME-sniffing attacks where malicious content served as an innocent type could be executed.
4. X-Frame-Options
X-Frame-Options: SAMEORIGIN
Prevents your page from being embedded in an iframe on another domain — the main vector for clickjacking attacks.
5. Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin
Controls what URL information is sent in the Referer header when users click links. Prevents leaking sensitive URL paths (like session tokens in query strings) to third parties.
6. Permissions-Policy
Permissions-Policy: camera=(), microphone=(), geolocation=()
Restricts which browser APIs your site and embedded iframes can access. Limits the damage if a third-party script is compromised.
Step-by-Step: Check Your Website
Go to webtoolsz.com/security-headers-checker. Our server fetches your URL's HTTP response headers — we only read headers, never page content.
Enter the full URL including https://. The tool checks all 7 security headers and assigns an A+ to F grade based on what is present.
Each header shows Present or Missing, its importance level (Critical/Important/Moderate), and if missing — the exact header value you should add.
Add the recommended headers to your server config (Apache, Nginx, or your CDN), deploy, and run the check again to confirm they are working.
X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, and Referrer-Policy: strict-origin-when-cross-origin. These three lines in your server config improve your grade from F to C with no risk of breaking anything.
Check Your Website's Security Headers — Free
Instant grade, header-by-header analysis, and actionable fix recommendations. No sign-up.
Check Security Headers NowFrequently Asked Questions
What are HTTP security headers?
HTTP security headers are special response headers that web servers send to browsers with every page request. They instruct the browser how to handle security-sensitive behavior — whether to enforce HTTPS, which resources to allow, whether the page can be embedded in iframes. They are one of the fastest wins in web security.
What is the most important security header to add?
Strict-Transport-Security (HSTS) is the most critical for any HTTPS site. Content-Security-Policy is the most powerful for preventing XSS but is complex to configure. For most sites, start with HSTS, X-Content-Type-Options: nosniff, and X-Frame-Options: SAMEORIGIN — these three prevent the most common browser-based attacks.
How do I add security headers to my website?
For Apache, add Header always set directives in .htaccess or server config. For Nginx, use add_header in your server block. For Node.js/Express, use the helmet middleware. For Cloudflare, Netlify or Vercel, set custom response headers in your CDN configuration.
What grade should my website aim for?
Aim for an A or A+ grade. This means HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy are all set correctly. A B grade is acceptable. Anything below C requires urgent attention — the site lacks basic protection against XSS, clickjacking, and protocol downgrade attacks.