Free Security Header Checker — Test Your Site in Seconds
Paste your URL and see which HTTP security headers your site is missing. Free, no signup. Checks CSP, HSTS, X-Frame-Options, and 5 more in under 10 seconds.
Rod
Founder & Developer
Your site probably has missing security headers. Most do. Paste your URL into the free Security Header Checker and you'll know in under 10 seconds — no account needed. You'll get a score from 0 to 100 and a breakdown of which headers are present, missing, or misconfigured.
If you want the fix guide after you see your score, that's at the Next.js security headers config walkthrough. This page is just about the tool.
What the Security Header Checker Does
The tool fetches your URL, reads the HTTP response headers, and checks for 8 security headers that browsers rely on for protection. It scores each one as pass, fail, or misconfigured, and totals those into a 0-100 security score.
| Check | What It Looks For |
|---|---|
| Content-Security-Policy | Presence and basic directive validation |
| Strict-Transport-Security | Presence, max-age value, includeSubDomains |
| X-Frame-Options | DENY or SAMEORIGIN value |
| X-Content-Type-Options | nosniff value |
| Referrer-Policy | Presence and policy strictness |
| Permissions-Policy | Presence |
| Cross-Origin-Opener-Policy | Presence |
| Cross-Origin-Resource-Policy | Presence |
The whole check runs in under 10 seconds. Results appear inline — no email, no account, no waiting.
Check your security headers free — paste your URL and get your score.
Why Security Headers Matter
HTTP security headers are instructions your server sends to browsers. They tell the browser what to trust, what to block, and how to handle your content. When they're missing, browsers fall back to permissive defaults — which is exactly what attackers count on.
Missing security headers is not a minor configuration detail. The OWASP Top 10 lists it under A05:2021 — Security Misconfiguration. It's one of the most consistently found issues in web application security assessments.
The reason it's so widespread in 2026: most apps start with a framework scaffold and get deployed before anyone adds headers. AI coding tools like Cursor and v0 don't add them by default. Vercel doesn't add them for you. According to the Veracode State of Software Security 2025 report, 45% of AI-generated code ships with at least one vulnerability — and missing headers are among the most consistent findings we see across real scans. It tracks directly with the broader security gaps in AI-generated code that show up across every stack.
The result: even well-built apps routinely score under 40 on their first header check.
The 8 Headers the Tool Checks
Content-Security-Policy
Tells the browser which scripts, styles, and resources are allowed to load on your page. Your primary defense against cross-site scripting (XSS). Without it, an injected script runs with full access to your DOM and cookies.
Strict-Transport-Security (HSTS)
Forces browsers to connect over HTTPS even if a user types http://. Prevents protocol downgrade attacks where a network attacker intercepts a non-HTTPS connection before any redirect happens.
X-Frame-Options
Prevents your page from loading inside an iframe on another domain. The protection against clickjacking — where an attacker layers an invisible version of your page over a decoy to trick users into clicking things they didn't intend to.
X-Content-Type-Options
Stops browsers from MIME-sniffing — guessing the content type of a response based on its contents rather than the declared Content-Type. Without it, a browser might execute an uploaded file as JavaScript if it looks like code.
Referrer-Policy
Controls how much of your URL gets shared when users click links to other sites. Without it, browsers may send full URLs — including query strings that contain user IDs or tokens — to every external domain.
Permissions-Policy
Controls which browser APIs your page can access: camera, microphone, geolocation, payments. Most apps don't use any of these. A restrictive policy limits damage if a malicious third-party script gets injected.
Cross-Origin-Opener-Policy
Isolates your browsing context from cross-origin windows. Prevents other pages from accessing your window object, which blocks a class of cross-site information leaks and Spectre-style attacks in browsers that support it.
Cross-Origin-Resource-Policy
Controls which origins can load your resources. Prevents other sites from embedding your API responses or assets in ways you didn't intend.
The OWASP Secure Headers Project maintains recommended values for all of these. The checker validates against those recommendations.
What Your Score Means
The score is a weighted 0-100 based on which headers are present and correctly configured. Higher-impact headers like CSP and HSTS carry more weight than lower-impact ones.
| Score Range | What It Means |
|---|---|
| 0 – 40 | Several critical headers are missing. Fix CSP and HSTS first. |
| 41 – 70 | Some headers are in place but the configuration has gaps. |
| 71 – 90 | Good baseline. A few headers are missing or could be stricter. |
| 91 – 100 | All 8 headers present and correctly configured. |
Most fresh deployments score between 10 and 35. That's not a reflection of your skills — it's a reflection of how frameworks and hosting platforms ship by default. The fix is usually a single configuration file.
What to Do If Your Score Is Low
The checker tells you what's missing. The fix guide tells you how to add it.
For Next.js apps, everything goes in next.config.ts. The complete Next.js security headers configuration guide has the full copy-paste config block — CSP, HSTS, X-Frame-Options, and the rest. It also covers the nonce approach for App Router, which you'll need if you want a CSP that doesn't break your hydration.
For other stacks, the approach is similar — middleware or framework config, not application code.
Quick manual check while you're here:
curl -I https://your-domain.comLook for content-security-policy, strict-transport-security, and x-frame-options in the output. If you don't see them, the checker will show you the full picture. Run your URL through the free Security Header Checker for a scored breakdown with specific findings.
After you fix your headers, if you want to go deeper — scanning your actual codebase for exposed secrets, vulnerable dependencies, or missing auth checks — that's what Data Hogo's full scanner does. The free plan at /en/pricing covers 3 scans per month, no credit card required.
You can also check two other common quick wins:
- Env file checker — confirms your
.envisn't publicly accessible on your deployed domain - Security score checker — runs a full surface scan across your deployed URL and gives an overall security score
Frequently Asked Questions
How do I check if my website has security headers?
Paste your URL into Data Hogo's free Security Header Checker. It tests 8 HTTP security headers in seconds and gives a score from 0 to 100 — no signup required. You can also check manually with curl -I https://your-domain.com and look for content-security-policy, strict-transport-security, and x-frame-options in the response.
What security headers should every website have?
At minimum: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The OWASP Secure Headers Project recommends adding Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy as well. Missing any of these falls under OWASP A05:2021 Security Misconfiguration.
Does Vercel add security headers automatically?
No. Vercel's free and Pro plans don't add security headers by default. A fresh Next.js deployment on Vercel typically scores below 30 on a header check — you'll see Vercel's own headers like x-vercel-id in the response, but no Content-Security-Policy or Strict-Transport-Security. You configure them yourself in next.config.ts. See the MDN Content-Security-Policy reference for directive details.
What is the difference between securityheaders.com and Data Hogo's checker?
Both check HTTP headers against a defined set of best practices. Data Hogo gives a 0-100 numeric score, explains each finding in plain English, links to stack-specific fix guides (not generic documentation), and is the only free header checker with native Spanish support. The score format also makes it easier to track improvement over time as you add headers.
Check your security headers free — no signup, results in seconds.
Related Posts
Free .env Leak Scanner — Check 13 Paths in One Click
Is your .env file publicly accessible? Paste your URL and check 13 common paths instantly. Free, no signup. A 200 on any path means your secrets are live.
What's Your App's Security Score? Take the Free Quiz
10 yes/no questions about your app's security. Get a score from 0-100 across 5 areas: secrets, auth, headers, database, dependencies. Free, no signup, 3 minutes.