Security Headers Checker
Check if your website has the essential security headers configured.
Free. No signup required.
Want the full picture?
Run a complete AI visibility audit — 25+ signals, fix roadmap, and generated files.
Why this matters
Prevents real attacks
Missing CSP allows XSS. Missing HSTS allows downgrade attacks. Missing X-Frame-Options allows clickjacking. These aren't theoretical — they happen daily.
Trust signal for AI
AI platforms check if your site is trustworthy before recommending. Missing security headers = lower trust = fewer AI recommendations.
Most are one-line fixes
Each missing header is a single line in your server config. 10 minutes to add all 6. Permanent protection.
How it works
Enter your website URL
We check all 6 critical HTTP security headers
Get a grade (A-F) with explanations for each header
Frequently Asked Questions
What security headers should my website have?
At minimum: Content-Security-Policy (prevents XSS), Strict-Transport-Security (forces HTTPS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), Referrer-Policy (controls referrer info), and Permissions-Policy (controls browser features).
How do I check my website's security headers?
Enter your URL in our Security Headers Checker above. We fetch your page and inspect the HTTP response headers. You'll see which of the 6 critical headers are present, which are missing, and a grade from A to F.
What is HSTS and do I need it?
HSTS (HTTP Strict Transport Security) forces browsers to always use HTTPS for your site. Without it, users can be tricked into loading an HTTP version. Add the header: Strict-Transport-Security: max-age=31536000; includeSubDomains.
What is Content-Security-Policy (CSP)?
CSP tells browsers which scripts, styles, and resources are allowed to load on your page. It prevents XSS attacks by blocking unauthorized scripts. It's the most important security header but also the most complex to configure.
How do I add security headers to my website?
In Next.js, add them in next.config.js headers(). In Vercel, use vercel.json. In Nginx, add add_header directives. In Cloudflare, use Page Rules or Workers. Each platform has a different method — check your hosting docs.
Do security headers affect AI visibility?
Indirectly — yes. AI platforms deprioritize sites with security issues. Missing HTTPS and security headers signal an untrusted site. Good security is a baseline trust signal for both Google and AI assistants.
Related Free Tools
Want the complete picture?
Run a full AI visibility audit — 25+ signals, fix roadmap, and AI-generated files.