HTTP Security Headers Checklist
HTTP security headers tell browsers how to handle your content. Missing headers leave users vulnerable to clickjacking, MIME sniffing attacks, and man-in-the-middle downgrades. Most can be added with a single line of server configuration, yet a surprising number of production sites skip them.
Try it now
HTTP Response Inspector
Runs in your browser, nothing leaves your device.
Strict-Transport-Security (HSTS) forces HTTPS and prevents downgrade attacks. X-Content-Type-Options: nosniff stops browsers from guessing MIME types, blocking attacks where a text file is interpreted as JavaScript. X-Frame-Options prevents clickjacking by controlling who can embed your page in an iframe. Referrer-Policy controls what URL information leaks to other sites.
The Server header often reveals the web server and version (e.g., Apache/2.4.52). X-Powered-By exposes the framework (e.g., Express, PHP/8.1). These give attackers a head start in finding version-specific exploits. Remove or genericize them in production.
Examples
Missing critical headers
Server: Apache/2.4.52
X-Powered-By: PHP/8.1.2
Missing HSTS, CSP, X-Content-Type-Options, X-Frame-Options. Leaks server info.
Security context
Security headers are cheap insurance. They take minutes to add and protect against entire classes of attacks. If a site is missing basic headers like HSTS and X-Content-Type-Options, it's a signal that security wasn't a priority during development.
Frequently asked
Content-Security-Policy, because it provides the strongest protection against XSS, which is the most common web vulnerability. HSTS is a close second, as it prevents HTTPS downgrade attacks.
Related techniques
Content Security Policy (CSP) Analysis
How to analyze and audit Content-Security-Policy headers. Detect unsafe-inline, unsafe-eval, wildcard sources, and other misconfigurations that enable XSS.
CORS Misconfigurations and Security Risks
Detect dangerous CORS configurations: wildcard origins with credentials, reflected origins, null origin attacks, and overly permissive access-control headers.
Cookie Security Flags: Secure, HttpOnly, SameSite
Audit cookie security attributes. Detect session cookies missing Secure, HttpOnly, or SameSite flags that enable session hijacking and CSRF attacks.