Free Security Headers Checker

Free Security Headers Checker

Free tool

Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and COEP/COOP/CORP against your live URL, with copy-paste fixes.

  • Content Security Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Permissions Policy
  • Referrer Policy
  • And more...
No credit card requiredProduction-safe (100% passive)No setup or code required
Trusted by 4,000+ security & engineering teams
Oracle logoShopify logoGoDaddy logoChubb logoToshiba logoMAPFRE logoBelfius logoGBG logoWEKA logoShift Technology logo

What you get for free

18 core security checks via this tool, passive scans, step-by-step remediation, security score on every result.

What Essential adds at $39/mo

+17 advanced checks, continuous monitoring, daily security score history, email alerts, GitHub SAST, board-ready PDFs, SOC 2 / ISO 27001 / PCI reports.

What is a Security Headers Test?

A security headers test checks the HTTP response headers your website sends to browsers. These headers tell browsers how to behave when loading your site. For example, whether to allow embedding in iframes, how to handle content types, and whether to enforce HTTPS. Missing or misconfigured security headers are a common cause of vulnerabilities that show up in security audits and penetration tests. Running a security headers test helps you find gaps before attackers or auditors do.

Why Security Headers Matter for SEO and Security

Search engines and security assessors both pay attention to how your site is configured. Headers like Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), and X-Frame-Options reduce the risk of cross-site scripting (XSS), clickjacking, and protocol downgrade attacks. Sites that send strong, correct security headers tend to be treated as more trustworthy. A security headers test gives you a clear report of what you send today and what you should add or change to meet best practices.

Common Security Header Mistakes

Many sites omit HSTS or set it with too short a max-age, leave X-Content-Type-Options unset (allowing MIME sniffing), or use overly permissive Content-Security-Policy directives such as unsafe-inline or unsafe-eval. Others send conflicting frame controls (e.g. both X-Frame-Options and CSP frame-ancestors) or forget Referrer-Policy and Permissions-Policy. A security headers checker highlights these issues and explains how they increase risk so you can fix them in the right order.

How Barrion Detects Header Issues

Barrion's security headers test tool requests your URL and inspects the response headers. It checks for presence and correct values of CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and cross-origin headers (COEP, COOP, CORP). The tool then compares what it finds against current best practices and produces a prioritized list of findings with remediation guidance. You can run it on any public URL without installing software or sharing code. Ideal for quick checks before an audit or as part of continuous monitoring.

Use the checker above to analyze your website's security headers. Enter your domain or full URL and click to run the test. Results typically return in under a minute and include specific recommendations for each header.

How to fix common issues

  • Set X-Content-Type-Options: nosniff
  • Adopt a strict CSP with nonces/hashes
  • Enable HSTS with preload readiness

What are security headers?

HTTP security headers configure browser behavior to reduce risk from XSS, clickjacking, mixed content, and cross-origin leaks.

What this test checks

Content Security Policy (CSP):
  • CSP directive configuration and syntax validation
  • Detection of unsafe-inline and unsafe-eval usage
  • Nonce and hash implementation guidance
  • Frame-ancestors directive for clickjacking protection
Clickjacking Protection:
  • X-Frame-Options header presence and configuration
  • CSP frame-ancestors directive validation
  • Frame embedding restrictions and policy consistency
Content Type & MIME Security:
  • X-Content-Type-Options: nosniff implementation
  • MIME type sniffing protection validation
  • Content-Type header configuration
Privacy & Referrer Control:
  • Referrer-Policy header configuration
  • Cross-origin referrer information control
  • Privacy-preserving referrer policies
Feature Permissions:
  • Permissions-Policy header validation
  • Browser API access restrictions (camera, geolocation, etc.)
  • Feature policy best practices compliance
Cross-Origin Security:
  • Cross-Origin-Embedder-Policy (COEP) configuration
  • Cross-Origin-Opener-Policy (COOP) validation
  • Cross-Origin-Resource-Policy (CORP) settings
Information Disclosure:
  • Server header exposure and version disclosure
  • X-Powered-By header detection
  • Technology stack information leakage
Transport Security:
  • HTTP Strict Transport Security (HSTS) configuration
  • HSTS preload readiness validation
  • HTTPS enforcement policies

Across 7,440 recent passive scans, 98.9% are missing a strict CSP, 57.2% have no HSTS preload, and 46.7% don't send X-Content-Type-Options: nosniff.

Implementation examples

Once you've identified the gap, applying the fix is straightforward. Here are the three configurations developers reach for most often.

Nginx

server {
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
    add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'; base-uri 'self'" always;
}

Apache

# Requires mod_headers
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Content-Security-Policy "default-src 'self'; frame-ancestors 'none'; base-uri 'self'"

Node.js (Express + Helmet)

import express from "express"
import helmet from "helmet"

const app = express()

app.use(
  helmet({
    hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        frameAncestors: ["'none'"],
        baseUri: ["'self'"],
      },
    },
    referrerPolicy: { policy: "strict-origin-when-cross-origin" },
    frameguard: { action: "deny" },
  }),
)

Tool-specific questions

What's the difference between X-Frame-Options and CSP frame-ancestors?

CSP frame-ancestors is the modern standard and more flexible than X-Frame-Options. It allows granular control over which domains can embed your content. X-Frame-Options is legacy but still widely supported. Use CSP frame-ancestors for new implementations and ensure consistency across your site.

How do I implement a secure Content Security Policy without breaking my site?

Start with a report-only CSP to identify issues, then gradually implement directives. Use nonces for inline scripts, avoid unsafe-inline and unsafe-eval, and implement proper source whitelisting. Test thoroughly in staging before deploying to production.

Why is Permissions-Policy important for web security?

Permissions-Policy controls access to powerful browser APIs like camera, microphone, geolocation, and payment APIs. By restricting these features to trusted origins only, you prevent malicious scripts from accessing sensitive user data and reduce your attack surface significantly.

What are the benefits of implementing Cross-Origin policies (COEP/COOP/CORP)?

Cross-Origin policies enable cross-origin isolation, which provides stronger security guarantees and access to powerful APIs like SharedArrayBuffer. COEP controls resource embedding, COOP isolates browsing contexts, and CORP controls resource loading. Together they create a secure cross-origin environment.

How often should I review and update my security headers?

Review security headers after any major site changes, new feature deployments, or security updates. Use Barrion's continuous monitoring to track header changes over time. Security headers should be treated as part of your security baseline and reviewed quarterly at minimum.

What's the impact of missing X-Content-Type-Options: nosniff?

Without nosniff, browsers may perform MIME type sniffing, potentially interpreting files as different types than intended. This can lead to XSS attacks if malicious content is served with incorrect MIME types. Always set X-Content-Type-Options: nosniff to prevent this behavior.
Why Barrion

Built for the engineers who already have enough to fix.

Speed

Real-time results

Instant analysis with a detailed report. You see findings as the scan runs, not after.
Coverage

Comprehensive checks

35+ checks per scan covering TLS, headers, CORS, cookies, DNS, email auth, and more, in a single pass.
Action

Step-by-step fixes

Every finding ships with the exact remediation step for your framework. Hand it to the engineer who owns the surface.
Other tools

More free checks, for the rest of your surface.

Complete Security Scan

Complete website security analysis with comprehensive vulnerability detection

Pre-Pentest Security Scan

Passive scan that catches the misconfigurations a pentester finds first. Use it before a manual engagement to clear the easy issues.

Security Compliance Checker

Check compliance with PCI DSS, HIPAA, SOC 2, ISO 27001, and GDPR. Get compliance readiness reports.

WAF Checker

Detect Web Application Firewall presence through passive header analysis. Identify WAF/CDN providers.

TLS/SSL Security Checker

Validate your SSL/TLS configuration and certificate setup

Content Security Policy (CSP) Checker

Analyze your CSP for unsafe directives and strengthen your policy with best practices.
Browse all security tools →
Related guides

Go deeper on the same topic.

Learn

Security Headers

Per-check explainer covering what it is, why it matters, and how Barrion verifies it.
Learn

Hsts

Per-check explainer covering what it is, why it matters, and how Barrion verifies it.
Fix guide

Missing Hsts Header

Step-by-step remediation with config examples for Nginx, Apache, and Node.
Fix guide

Missing X Frame Options

Step-by-step remediation with config examples for Nginx, Apache, and Node.
Fix guide

Missing Content Security Policy

Step-by-step remediation with config examples for Nginx, Apache, and Node.
Guide

Security Headers Guide

Long-form implementation guide from the Barrion engineering blog.
FAQ

Frequently asked.

What is Barrion and how does it enhance website security?
Barrion is a security testing and monitoring platform for engineering teams, and it works in three ways. Passive scanning keeps a continuous, read-only watch over your live web apps and APIs. Codebase scanning connects to GitHub and checks your code for hard-coded secrets, insecure patterns and vulnerable dependencies. AI pentesting goes on the offensive, running agent-driven attacks that prove which vulnerabilities are genuinely exploitable. Every finding comes with a step-by-step fix you can ship right away.
How safe is Barrion to use for security testing?
Passive scanning and codebase scanning are completely safe to run, including against production. Passive scans only read your live app, so we never submit forms, brute-force endpoints or touch anything that changes state, and codebase scanning just reads your repository. AI pentesting is more aggressive by design, since its job is to confirm real exploits, so it runs rate-limited and non-destructive, and you agree the scope with us before it starts.
What types of security issues does Barrion identify?
It depends on the surface. On your live apps, Barrion catches misconfigurations across TLS and HTTPS, security headers, cookie flags, CORS policy, DNS records, email authentication (SPF, DKIM, DMARC), network exposure and the usual web hygiene gaps. In your codebase it finds secrets committed to the repo, insecure code patterns and vulnerable dependencies. AI pentesting surfaces the exploitable stuff, like SQL injection, cross-site scripting and broken access control, each one backed by proof it can actually be exploited.
What specific security checks does Barrion perform?
For live apps it checks TLS and HTTPS configuration, HTTP security headers, cookie flags, CORS policy, DNS and email authentication records, network exposure and common web hygiene issues. In your codebase it looks for hard-coded secrets, insecure patterns and vulnerable dependencies. AI pentesting takes it further by actively chaining requests to confirm exploitable flaws. Whatever the source, findings are ranked by severity and come with clear, step-by-step remediation.
What is Barrion's smart crawling?
Smart crawling automatically discovers the pages and endpoints of your app so scans cover the surface that matters, without you manually listing every URL.
How often does Barrion perform security scans?
You can run a scan manually whenever you want. Continuous monitoring of your live apps runs on its own (weekly and up on Essential, daily on Business), codebase scans can fire on every commit or pull request, and we alert you the moment something new shows up.
Is Barrion suitable for security testing of all business sizes?
Yes. Live-app monitoring, codebase scanning through GitHub and AI pentesting all work just as well for a solo developer as for a startup, a scale-up or an enterprise security team, without adding headcount.
How does Barrion handle data security and privacy during security testing?
Live-app and codebase scans are read-only by default, and we never store or expose sensitive data from your application. AI pentests are rate-limited and non-destructive, built to confirm whether something is exploitable without altering your data or affecting availability.
What if I'm not satisfied with Barrion's security testing service?
Paid plans start with a free trial, and you can cancel anytime. If something isn't right, contact us and we'll make it work for your team.
How does Barrion help with SOC 2, ISO 27001, NIS2, and other compliance frameworks?
Barrion produces audit-ready PDF and CSV reports suitable for SOC 2, ISO 27001, PCI DSS and NIS2, ready to share with auditors, customers and your board.

Anything else? Email contact@barrion.io.

Monitor security headers on every deploy.

Continuous monitoring re-checks your headers on a schedule and alerts you the moment a deploy regresses. Available on Essential and Business plans.

Get free reportSee pricing