Check Your HTTP Security Headers
Analyses the HTTP response for the most important security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
What does the header check test?
The check fetches your site and inspects the HTTP response for the six most important security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Each one tells the browser to block a specific class of attack up front — when it's missing, that gap stays open.
Why it matters
These headers are your last line of defence, right inside the visitor's browser. Without HSTS, an HTTPS connection can be downgraded to plain HTTP via SSL stripping. Without X-Frame-Options — or a frame-ancestors rule in your CSP — your page can be loaded into a hidden frame and abused for clickjacking. Without X-Content-Type-Options set to nosniff, the browser guesses the file type and may execute an innocent-looking upload as a script. The CSP is the strongest lever against cross-site scripting (XSS).
How to read the result
For each header you'll see whether it's set and how. HSTS should carry a max-age of at least six months and ideally includeSubDomains. X-Frame-Options belongs on DENY or SAMEORIGIN. X-Content-Type-Options has only one sensible value: nosniff. The CSP is the most effective but also the trickiest — start in report-only mode so you don't break anything. All green means a solid baseline.
Frequently asked questions about HTTP headers
Which security header is the most important?
The Content-Security-Policy has the greatest impact but takes the most effort. HSTS offers the best protection-to-effort ratio.
What does HSTS actually do?
It forces the browser to load your domain over HTTPS only — even if someone slips in an http link.
Does X-Frame-Options prevent clickjacking?
Yes, it stops your page from being embedded in foreign frames. Modern setups handle this with the CSP frame-ancestors directive.
Can misconfigured headers break my site?
A too-strict CSP in particular can block legitimate scripts and styles, which is why you should always test in report-only mode first.
Need the full audit? The full Webscan Radar security check combines HTTP headers with all other areas plus GDPR audit, CMS detection, CVE matching and performance measurement in one report — also free.