Security Header Checker
Enter a URL to see which HTTP security headers it sends, get a grade from A+ to F, and copy the exact nginx config to fix whatever's missing.
A few headers, a big difference
Security headers are among the highest-leverage changes you can make to a site: a handful of one-line directives that block entire classes of attack — protocol downgrades, clickjacking, MIME sniffing, cross-site scripting. Most sites are missing several, not because they're hard, but because nobody checked.
This checker reads the live response and hands you the config to close the gaps. Once your headers are set, run a full scan from the homepage to catch cookies, mixed content, and the other 100 checks — and read the security headers guide for the reasoning behind each one.
Frequently asked questions
Which security headers matter most?
Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) carry the most weight — HSTS enforces HTTPS and CSP is the main defense against cross-site scripting. X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy round out a solid baseline.
How is the grade calculated?
Points are weighted toward the highest-impact protections: HTTPS and a long HSTS max-age, a CSP without unsafe-inline/eval, then the remaining headers. It uses the same weighting as our full site analyzer, so the grades line up. A+ means a hardened setup; F means the HTTPS baseline is missing.
Do security headers affect SEO?
Indirectly. HTTPS (which HSTS enforces) is a confirmed Google ranking signal, and browsers flag non-HTTPS pages as "Not Secure", which scares off users. The other headers do not move rankings directly but reflect a well-maintained, trustworthy site.
I added a header but it still shows missing — why?
Common causes: the header is set only on some routes, a proxy or CDN strips it, or (on nginx) an inner location block dropped inherited headers because it defines its own. Also make sure you added the "always" flag so headers are sent on error responses too.
Related tools
HTTP Header Checker
See status, redirect chain & every response header a crawler receives.
robots.txt Tester
Check if any URL is allowed or blocked, using Google’s matching rules.
Keyword Density Checker
Word count, reading time & 1/2/3-word keyword density — catch stuffing.
Readability Checker
Flesch Reading Ease & grade level with live sentence and word stats.
This tool solves one thing.
Scan a live URL against 100 on-page checks — with the code to fix each issue.
Analyze any URL free