What does Content-Security-Policy (CSP) do?

CSP tells browsers which origins may execute script, load styles, embed frames, connect with XHR/fetch, and more. A strict CSP shrinks XSS blast radius by blocking inline script unless you carefully use nonces or hashes. Start in report-only mode, collect violations, then enforce.

Should I use HSTS preload?

Preload adds your site to browser preload lists with long max-age and includeSubDomains (and often preload token). It is powerful for downgrade protection but dangerous if you cannot serve HTTPS everywhere covered by the directive—broken HTTP-only subdomains become unreachable. Validate with staging and the [SSL certificate checker](/ssl-certificate) first.

Is X-Frame-Options still needed?

Many sites now prefer CSP frame-ancestors, which is more expressive. X-Frame-Options still helps older clients. Using both consistently (without contradictions) is common during transition.

What is Permissions-Policy (formerly Feature-Policy)?

It disables powerful browser features (camera, geolocation, payment, sync XHR) by default per origin or embed. Useful for reducing attack surface on content-heavy sites and sandboxes.

Why analyze headers if I already have TLS?

TLS protects bytes on the wire; headers shape what the browser is allowed to do after decryption. Clickjacking, XSS, MIME sniffing, and referrer leakage are largely HTTP-layer problems. Pair headers with a [TLS scanner](/tls-checker) for defense in depth.

Security Headers

v1.0.0

Analyze and validate HTTP security headers including CSP, HSTS, X-Frame-Options, and more. Improve your website’s defense against common web attacks with clear implementation guidance.

Security headers analysis will appear here

Inspect security-related HTTP response headers for any URL. Quickly see whether CSP, HSTS, and framing protections are present, coherent, and appropriate for your app.

Read the full guide →

Frequently Asked Questions

What does Content-Security-Policy (CSP) do?: CSP tells browsers which origins may execute script, load styles, embed frames, connect with XHR/fetch, and more. A strict CSP shrinks XSS blast radius by blocking inline script unless you carefully use nonces or hashes. Start in report-only mode, collect violations, then enforce.
Should I use HSTS preload?: Preload adds your site to browser preload lists with long max-age and includeSubDomains (and often preload token). It is powerful for downgrade protection but dangerous if you cannot serve HTTPS everywhere covered by the directive—broken HTTP-only subdomains become unreachable. Validate with staging and the [SSL certificate checker](/ssl-certificate) first.
Is X-Frame-Options still needed?: Many sites now prefer CSP frame-ancestors, which is more expressive. X-Frame-Options still helps older clients. Using both consistently (without contradictions) is common during transition.
What is Permissions-Policy (formerly Feature-Policy)?: It disables powerful browser features (camera, geolocation, payment, sync XHR) by default per origin or embed. Useful for reducing attack surface on content-heavy sites and sandboxes.
Why analyze headers if I already have TLS?: TLS protects bytes on the wire; headers shape what the browser is allowed to do after decryption. Clickjacking, XSS, MIME sniffing, and referrer leakage are largely HTTP-layer problems. Pair headers with a [TLS scanner](/tls-checker) for defense in depth.