What this tool does
It audits HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and related headers.
Security Headers Checker
Audit your website's HTTP security headers. Get a letter grade and actionable fixes for HSTS, CSP, X-Frame-Options, and more.
HSTS
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Letter grade A–F
Is your site sending the right security headers?
Enter any URL to audit your HTTP security headers and get an instant letter grade with per-header risk explanations and exact fix instructions.
HSTS
Strict-Transport-Security prevents protocol downgrade attacks and cookie hijacking by forcing HTTPS connections.
Content-Security-Policy
CSP blocks cross-site scripting (XSS) by controlling which scripts, styles, and resources a browser can load.
X-Frame-Options
Prevents your page from being embedded in iframes on other sites — stops clickjacking attacks cold.
X-Content-Type-Options
Prevents browsers from MIME-sniffing responses — stops attackers from disguising scripts as other content types.
Referrer-Policy
Controls how much referrer information is sent with requests — protects sensitive URL data from leaking to third parties.
Instant Letter Grade
Get an A–F security grade with a detailed per-header breakdown and copy-paste fix instructions for each issue found.
Why HTTP Security Headers Matter
Browser-enforced protection
Security headers are instructions to the browser, not the server. They constrain how the page can be loaded, what resources it can fetch, and what third parties can do with the response.
Adding headers in cPanel / .htaccess
On Apache shared hosting, add headers to your .htaccess: Header always set X-Frame-Options "SAMEORIGIN". Requires mod_headers, which cPanel enables by default.
WordPress plugins
Headers & Security Enhanced by BestWebSoft or the Headers plugin by 8d91pw can add all security headers without editing files. Alternatively, Cloudflare's Transform Rules can inject headers at the CDN edge.
CSP: start permissive, tighten later
A strict CSP breaks inline scripts and third-party embeds. Start with Content-Security-Policy-Report-Only to find violations before enforcing, then tighten directive by directive.
Nginx config example
Add to your server {} block: add_header X-Content-Type-Options "nosniff" always; then reload Nginx. The always flag ensures headers appear on error responses too.
SEO impact
Google's Page Experience signals include HTTPS (which implies HSTS) and safe browsing. While headers aren't a direct ranking factor, a compromised site (due to missing headers) gets a Search Console warning and ranking penalty.
Want server-level security hardening?
UnderHost hosting plans include WAF protection, malware scanning, and server-side security configurations — ask our team about hardening add-ons.
Tool guide
Understanding HTTP security headers
Security headers tell browsers how to protect visitors from common attacks such as clickjacking, content injection, and insecure transport.
Who it helps
- Site owners improving browser-side security
- Developers hardening production sites
- Administrators checking server or CDN configuration
Usage instructions
Enter a URL and review the grade plus each header row. Start with missing high-impact headers before tuning advanced policies.
Understanding the output
A warning does not always mean a breach; it means the browser lacks a protective instruction. CSP warnings should be tested carefully to avoid breaking scripts or forms.
Why it matters for hosting
Headers are usually configured at the web server, control panel, application, or CDN layer, making them a natural part of hosting security hygiene.
