Tools
Security Headers Checker
Check which security headers a website is sending: HSTS, CSP, X-Frame-Options, Referrer-Policy and more. Grade A+ to F.
The 6 key security headers
HSTS
Strict-Transport-Security
Forces browsers to connect only via HTTPS for a defined duration. Without it, browsers can be tricked into HTTP connections even on a site that supports HTTPS.
CSP
Content-Security-Policy
Defines which scripts, styles and resources the browser is allowed to load. Prevents cross-site scripting (XSS) attacks by blocking unexpected resource origins.
X-Frame-Options
X-Frame-Options
Prevents your pages from being embedded in iframes on other domains. Stops clickjacking attacks where attackers overlay invisible frames over your site.
XCTO
X-Content-Type-Options
Prevents browsers from MIME-sniffing responses. The value should always be "nosniff" — stops browsers from executing files as a different type than declared.
RP
Referrer-Policy
Controls how much referrer information is sent when users click links. "strict-origin-when-cross-origin" is the recommended value for most sites.
PP
Permissions-Policy
Restricts which browser features (camera, microphone, geolocation, etc.) can be used. Limits the attack surface if third-party scripts are compromised.
Security response headers are one of the cheapest, highest-impact improvements you can make to a website after launch. They tell browsers how to behave: whether to allow iframing, which origins can run scripts, how to handle referrer data and whether to enforce HTTPS. Despite being free to implement, most websites are missing at least two or three of the six key headers. This tool performs a live check of any URL and grades the security header configuration from A+ to F. Results include each header's current value, whether it's correctly configured, and what's missing. Useful for developers, system administrators and anyone doing a technical post-launch review.
Frequently asked questions
This tool provides an automated analysis for orientation purposes only. Results may be incomplete or inaccurate. This does not constitute legal, technical, or professional advice of any kind. NEXITO MEDIA LLC accepts no liability for decisions made based on tool results.