Privacy & Compliance

Security Headers Checker

Grade your HTTP security headers from A+ to F with fix recommendations.

Paste HTTP Response Headers

Score: 50/100 • 4/8 headers present

✓Strict-Transport-Security

Weight: 20Present

max-age=31536000; includeSubDomains

Forces HTTPS connections. Prevents protocol downgrade attacks.

✗Content-Security-Policy

Weight: 25Missing

Controls which resources the browser can load. Mitigates XSS attacks.

💡 Define a strict CSP. Start with default-src 'self' and expand as needed.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'

✓X-Frame-Options

Weight: 10Present

DENY

Prevents clickjacking by controlling iframe embedding.

✓X-Content-Type-Options

Weight: 10Present

nosniff

Prevents MIME type sniffing. Forces browser to respect declared content type.

✓Referrer-Policy

Weight: 10Present

strict-origin-when-cross-origin

Controls how much referrer information is sent with requests.

✗Permissions-Policy

Weight: 15Missing

Controls which browser features and APIs can be used.

💡 Disable unused features like camera, microphone, and geolocation.

Permissions-Policy: camera=(), microphone=(), geolocation=()

✗X-XSS-Protection

Weight: 5Missing

Legacy XSS filter (mostly superseded by CSP).

💡 Set to '0' (modern browsers) or '1; mode=block' for legacy support.

X-XSS-Protection: 0

✗X-DNS-Prefetch-Control

Weight: 5Missing

Controls DNS prefetching behavior.

💡 Set to 'off' to prevent DNS prefetch information leakage.

X-DNS-Prefetch-Control: off

Related Tools

📜

Generate a comprehensive, customizable privacy policy for your website or app

🤖

robots.txt Generator

Generate robots.txt files with visual controls to block AI crawlers and bots

🛡️

CSP Generator

Build Content Security Policy headers with an interactive visual editor

📨

GDPR Request Generator

Generate GDPR data access, deletion, and portability request letters in EN/DE

🔒 This tool runs entirely in your browser. No data is sent to any server.