Support
We usually reply within 1–2 business days
Ticket submitted!
Your ticket ID:
A confirmation has been sent to your email address.
Security Headers Checker — HSTS, CSP, X-Frame-Options & more | TestURL.live
Security Audit

Security Headers Checker — Letter-Grade Audit In Seconds

Audit any URL for the nine most important HTTP security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and the Cross-Origin trio. Get a clear letter grade and a per-header explanation.

Migrated to a new server lately?

NGINX/Apache config often loses security headers in a migration. Catch the regression on the preview URL — before DNS cuts over.

Test Your Migration →

What Each Header Does

Strict-Transport-Security (HSTS)

Tells the browser to always use HTTPS for your domain — preventing downgrade attacks and accidental HTTP loads. Pair with max-age=15552000; includeSubDomains for a strong baseline.

Content-Security-Policy (CSP)

The single most impactful header for preventing XSS. Restricts which scripts, styles, images, and other resources can load. Hard to author but worth the effort — start strict, monitor reports, relax cautiously.

X-Content-Type-Options

Set to nosniff to prevent the browser from MIME-sniffing responses. Stops a class of attacks where a user-uploaded image is interpreted as JavaScript.

X-Frame-Options

DENY or SAMEORIGIN — prevents your site from being embedded in an iframe on another origin. Defeats clickjacking attacks. CSP's frame-ancestors is a more modern equivalent.

Referrer-Policy

Controls how much of the referring URL is sent when users click outbound links. strict-origin-when-cross-origin is the modern recommended default.

Permissions-Policy

Restricts powerful browser features (camera, mic, geolocation, payment) from being used by your site or its iframes. Set explicitly to () for everything you don't need.

Cross-Origin-Opener-Policy / Resource-Policy / Embedder-Policy

The newer COOP/CORP/COEP trio enables cross-origin isolation, required for high-precision timers like SharedArrayBuffer. Set them if you can — they add defence in depth.

Security Headers FAQ

Which security headers should every site have?

HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy at minimum. Permissions-Policy and the Cross-Origin headers for hardened setups.

What's a good Content-Security-Policy?

Start from default-src 'self' and explicitly allowlist only the third-party origins you actually need. Avoid unsafe-inline for scripts — it disables the main XSS protection.

Does HSTS require HTTPS?

Yes. HSTS only takes effect over HTTPS. Set max-age to at least 15552000 (6 months) for the grade to count.

Why does the checker grade my site lower than I expected?

The checker also validates header values, not just presence. An X-Content-Type-Options set to anything other than nosniff doesn't pass; an HSTS with max-age under six months is flagged.

Related Tools

HTTP Headers ViewerFull raw header set SSL CheckerVerify the cert too Redirect Chain CheckerTrace every hop DNS Propagation CheckerConfirm DNS resolves