Free Security Headers Checker
Instantly grade a website's HTTP response headers and get specific, copy-paste fixes for missing or weak protections — Content-Security-Policy, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy (COOP).
By scanning, you confirm you own or have permission to test this domain. Not a substitute for manual penetration testing.
What this security headers checker checks
How it works
Read-only· one HTTPS request, no payloads- 1We send a single normal HTTPS request to your homepage — exactly like a browser would.
- 2We read only the HTTP response headers (Content-Security-Policy, HSTS, X-Frame-Options, Referrer-Policy, COOP/COEP, cookie flags) and the server banner.
- 3Each header is graded against current best practice, and weak values (e.g. a CSP with unsafe-inline, or a short HSTS max-age) are called out with the exact fix.
What it doesn’t do: It reads headers on the homepage only — it does not log in, submit forms, or test application logic.
Why it matters
Missing or misconfigured security headers are among the most common — and most easily fixed — web weaknesses. They defend against clickjacking, cross-site scripting, protocol downgrade and data-leak attacks, and most are a single response header away from being fixed.
Frequently asked questions
Is the security headers checker free?
Yes — it runs as part of the free ONEROXE recon scan. No account or sign-up is required.
Which security headers should every site set?
At minimum: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Content-Type-Options, frame protection (X-Frame-Options or a CSP frame-ancestors directive) and a Referrer-Policy.
Does a perfect header score mean my site is secure?
No. Headers are one layer of defence. Automated checks can miss business-logic and application flaws — for those, consider a manual penetration test.