Do security headers affect SEO?

HTTPS is a Google ranking signal. Security incidents indirectly harm SEO.

Do I need to set all headers?

At minimum, set CSP, HSTS, X-Frame-Options, and X-Content-Type-Options.

My site broke after setting CSP

Use Content-Security-Policy-Report-Only first, then adjust via DevTools.

Can I set headers on shared hosting?

Most hosts support .htaccess header configuration. mod_headers must be enabled.

Am I at risk with an F grade?

Not immediately, but attacks become easier. Early configuration is recommended.

HTTP Header Checker & Security Audit｜A+ to F Scoring

🔒

Server-Side Processing

Only retrieves headers from the target URL

📝

No Sign-Up

Use instantly without an account

⚡

Security Audit Included

A+ to F grade scoring

HTTP Header Checker & Security Audit

Enter any URL to view all HTTP response headers and score security header configuration from A+ to F. This free online tool checks 7 security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection) with pass/fail assessment, explanations, and Apache/Nginx configuration examples. It also evaluates performance headers like Cache-Control and Content-Encoding.

Use Cases

👨‍💻

Web Developers

Check for missing header configurations before deployment. Copy recommended settings directly.

🔒

Security Auditing

Regularly audit security header settings for your own or client sites.

🖥️

Server Admins

Verify that Apache/Nginx header configurations are correctly applied.

📋

Report Generation

Export results as JSON/text for security reports and documentation.

How to Use

Enter the URL you want to check (e.g. https://example.com)
Click the "Check" button
View results in three tabs:
- 📋 All Headers: Complete HTTP response header listing (with filter search)
- 🛡️ Security Audit: A+ to F scoring with detailed header evaluations
- ⚡ Performance: Cache and compression header evaluation
Missing headers show recommended Apache/Nginx configurations ready to copy

Security Header Glossary

Content-Security-Policy (CSP): Restricts the sources of resources the browser can load. The most powerful defense against XSS attacks.
Strict-Transport-Security (HSTS): Forces browsers to use HTTPS only. Specify duration with max-age in seconds.
X-Frame-Options: Restricts iframe embedding to prevent clickjacking attacks.
X-Content-Type-Options: Prevents MIME type sniffing. Only value is nosniff.
Referrer-Policy: Controls how much referrer information is sent during navigation.
Permissions-Policy: Controls access to browser features (geolocation, camera, etc.). Formerly Feature-Policy.
Cache-Control: Controls caching behavior. Specify cache duration with max-age.
Content-Encoding: Indicates response body compression method. gzip and Brotli (br) are common.

Frequently Asked Questions

Do security headers affect SEO?: Not a direct ranking factor, but HTTPS (related to HSTS) is a Google ranking signal. Security incidents indirectly harm SEO.
Do I need to set all headers?: At minimum, set CSP, HSTS, X-Frame-Options, and X-Content-Type-Options. The rest are also recommended.
My site broke after setting CSP: Use Content-Security-Policy-Report-Only first, then adjust based on DevTools errors.
Can I set headers on shared hosting?: Most hosts support header configuration via .htaccess. mod_headers must be enabled.
Am I immediately at risk with an F grade?: Not immediately, but attacks become easier. Header setup is low cost, so early configuration is recommended.

Web Development