HTTP Header Checker: Audit and Score Security Headers
Security headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options protect your website and visitors from attacks. The problem: many websites either do not set these headers or configure them poorly – and a header with a weak configuration is barely better than none at all.
This tool checks up to 15 URLs at once, scores each security header with a quality rating instead of a simple “present/missing” check, and uncovers information leaks where your server reveals sensitive details like the software it runs.
Bulk HTTP Header Checker
Check HTTP headers and security score for multiple URLs.
Enter up to 15 URLs. Processing is sequential.
Security Headers Guide
Security headers protect your website from common attacks. Here are the most important headers:
Content-Security-Policy (20 points)
Prevents XSS and other code injection attacks by controlling which resources can be loaded.
Strict-Transport-Security (20 points)
Forces browsers to use HTTPS connections only.
X-Content-Type-Options (15 points)
Prevents MIME type sniffing attacks.
X-Frame-Options (15 points)
Prevents clickjacking attacks.
How the HTTP Header Checker Works
- Enter URLs: Enter up to 15 URLs, one per line. The tool analyzes each URL individually and displays results sequentially.
- Track progress: A progress bar shows the check status in real time.
- Read the overall score: Each URL receives a security score from 0 to 100 points, composed of individual header ratings.
- Analyze header details: For each header, you will see the received value, the score, the quality rating, and specific recommendations for improvement.
- Check information leaks: A separate section shows headers that unintentionally reveal information – such as server software, programming language, or CMS version.
Frequently Asked Questions
Frequently Asked Questions
How Is the Score Calculated?
Unlike many tools, the Header Checker does not award points for mere presence. Instead, each header is rated based on its actual configuration:
What is a good security score?
A score of 70+ indicates a solid security baseline. At 85+, your website is well protected. 100 points is possible but requires a very restrictive configuration that is not practical for every website.
Why do I get a low score despite having a CSP?
This tool evaluates the quality of your CSP, not just its presence. A CSP with unsafe-inline or wildcard sources (*) provides little protection and therefore receives few points. Remove unsafe directives and use nonce- or hash-based policies instead.
What does “information leak” mean?
Server headers like Server: Apache/2.4.54 or X-Powered-By: PHP/8.1 reveal the exact software version of your server to attackers. This allows them to specifically search for known vulnerabilities for that version.
Can I set headers through WordPress?
Yes. There are several ways: through security plugins (e.g., Headers Security Advanced), via the .htaccess file (Apache), or through server configuration. The easiest solution for WordPress users is a security plugin.
Why is X-XSS-Protection rated so low?
The X-XSS-Protection header is deprecated. Modern browsers no longer support it because the built-in XSS filter itself had security vulnerabilities. The Content-Security-Policy is the recommended successor.
What is the difference between Feature-Policy and Permissions-Policy?
Feature-Policy is the deprecated predecessor of Permissions-Policy. Both control which browser APIs (camera, microphone, geolocation) a page may use. If the tool detects a Feature-Policy, it displays a notice to switch to the modern Permissions-Policy.
