HTTP Security Headers Check

// HTTP Security Headers Check

Understanding HTTP Security Headers

HTTP security headers are instructions sent by web servers that tell browsers how to handle a site's content. They form a critical layer of defense against common web attacks. Strict-Transport-Security (HSTS) forces HTTPS connections, Content-Security-Policy (CSP) prevents script injection, X-Frame-Options blocks clickjacking, and X-Content-Type-Options stops MIME-type sniffing attacks.

Missing security headers leave websites vulnerable to well-known attack patterns. Without HSTS, users can be downgraded to HTTP and intercepted. Without CSP, injected scripts can steal user data. Without X-Frame-Options, attackers can embed your site in an invisible iframe to trick users into clicking hidden buttons.

How to Improve Your Security Grade

Configure security headers in your web server (Nginx, Apache, Caddy) or CDN (Cloudflare, AWS CloudFront). Start with the highest-impact headers: HSTS with a long max-age, a restrictive CSP, X-Frame-Options set to DENY, and X-Content-Type-Options set to nosniff. Most can be added with a single configuration line.

FAQ

What are HTTP security headers?

HTTP security headers are response directives from web servers that instruct browsers how to behave when handling content. They protect against attacks like cross-site scripting (XSS), clickjacking, MIME sniffing, and protocol downgrade attacks.

What does each security header do?

HSTS forces HTTPS, CSP controls which scripts can run, X-Frame-Options prevents iframe embedding, X-Content-Type-Options stops MIME sniffing, Referrer-Policy controls referrer information, and Permissions-Policy restricts browser features like camera and microphone access.

Why did my site get a low grade?

Common reasons: missing Content-Security-Policy (the most impactful header), no HSTS header, or missing X-Frame-Options. Adding these three headers alone will significantly improve your grade.

Do security headers affect performance?

No. Security headers add negligible overhead — they're just a few extra bytes in the HTTP response. The performance impact is effectively zero, while the security benefit is substantial.