Response Headers Checker

Security-focused guide to HTTP response headers with implementation recommendations.

⚠️ Security Note: Implementing proper security headers is crucial for protecting your website from common attacks. Review the recommendations below and implement headers appropriate for your application.

🔒 Security Headers Checklist

Strict-Transport-SecurityCritical

Forces HTTPS connections for the domain

Recommended:max-age=31536000; includeSubDomains; preload
Content-Security-PolicyCritical

Prevents XSS and injection attacks

Recommended:default-src 'self'; script-src 'self' 'unsafe-inline'
X-Frame-OptionsHigh

Prevents clickjacking by controlling framing

Recommended:SAMEORIGIN
X-Content-Type-OptionsHigh

Prevents MIME type sniffing attacks

Recommended:nosniff
Referrer-PolicyMedium

Controls referrer information sent

Recommended:strict-origin-when-cross-origin
Permissions-PolicyMedium

Controls browser feature access

Recommended:geolocation=(), camera=(), microphone=()
X-XSS-ProtectionLow

Legacy XSS filter (CSP is preferred)

Recommended:1; mode=block

Security Response Headers Guide

Response headers are your first line of defense against web attacks. Properly configured security headers can prevent cross-site scripting (XSS), clickjacking, code injection, and other common vulnerabilities. This guide focuses on the most important security headers for modern websites.

Many hosting providers and CDNs make implementing these headers straightforward through configuration files or admin panels. Prioritize critical headers first, then implement additional protection as appropriate for your application.

HSTS: Enforcing HTTPS

Strict-Transport-Security tells browsers to only connect via HTTPS, preventing downgrade attacks and cookie hijacking. Include the preload directive and submit your domain to the HSTS preload list for maximum protection.

CSP: Content Security Policy

Content-Security-Policy is the most powerful security header, controlling which resources can load on your pages. Start with a restrictive policy and gradually loosen it as needed. Use report-uri to monitor violations before enforcing.

X-Frame-Options: Clickjacking Prevention

This header prevents your site from being embedded in iframes on malicious sites. Use DENY to prevent all framing or SAMEORIGIN to allow framing only from your own domain. CSP's frame-ancestors directive provides more flexibility.

Testing Security Headers

Use online security header scanners to audit your implementation. Browser DevTools show active headers for any page. Test thoroughly after implementation to ensure normal functionality isn't affected.

Related Tools

All HeadersStatus CodesRobots.txt Gen