Website Security Scanner: How to Audit Your Website's Security Headers in 60 Seconds

The 60-Second Security Header Audit

You do not need to be a security expert to check your website's headers. Here is the fastest way:

1. Open our Website Security Scanner and enter your domain.
2. Hit "Scan." The tool fetches your HTTP response headers, checks each one against OWASP recommendations, and scores your site.
3. Read the report. You will see exactly which headers are present, which are missing, and which are misconfigured — with copy-paste fixes for each issue.

That is it. Sixty seconds from scan to remediation plan. Let us look at what those headers actually do.

What Are Security Headers?

Security headers are HTTP response headers that instruct the browser to enable built-in protections. They are like a conversation between your server and the browser:

"Hey browser, only load scripts from my domain." (CSP)
"Hey browser, never connect to me over plain HTTP." (HSTS)
"Hey browser, do not let other sites embed me in a frame." (X-Frame-Options)

The browser obeys these instructions, and attackers are blocked before they can exploit common vulnerabilities like cross-site scripting (XSS), clickjacking, and mixed content attacks.

The 10 Essential Security Headers

1. Strict-Transport-Security (HSTS)

Tells the browser to always use HTTPS, preventing SSL stripping attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The preload flag submits your domain to the browser's built-in HSTS preload list, meaning browsers will use HTTPS even on the very first visit.

2. Content-Security-Policy (CSP)

The most powerful header for preventing XSS. It controls which resources the browser is allowed to load.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

3. X-Frame-Options

Prevents your site from being embedded in iframes on other domains, blocking clickjacking attacks.

X-Frame-Options: DENY

Use DENY if your site should never be framed, or SAMEORIGIN if you need to frame your own pages.

4. X-Content-Type-Options

Prevents browsers from MIME-type sniffing (guessing file types), which can turn a harmless upload into executable code.

X-Content-Type-Options: nosniff

5. Referrer-Policy

Controls how much referrer information is sent when users click links on your site. Prevents leaking sensitive URLs.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy

Controls which browser features and APIs your site can use (camera, microphone, geolocation, etc.). Limits the impact of compromised scripts.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()

7. X-XSS-Protection

Legacy header that enables the browser's built-in XSS filter. Less important with a strong CSP, but still recommended for older browsers.

X-XSS-Protection: 0

Wait — why 0? Modern security guidance recommends disabling the XSS auditor because it can actually introduce vulnerabilities. A strong CSP is the replacement.

8. Cross-Origin-Opener-Policy (COOP)

Isolates your page from cross-origin windows, preventing side-channel attacks like Spectre.

Cross-Origin-Opener-Policy: same-origin

9. Cross-Origin-Resource-Policy (CORP)

Prevents other sites from embedding your resources (images, scripts, etc.), which can prevent cross-origin information leaks.

Cross-Origin-Resource-Policy: same-origin

10. Cross-Origin-Embedder-Policy (COEP)

Requires your page to explicitly opt into loading cross-origin resources, enabling full Spectre protection when combined with COOP.

Cross-Origin-Embedder-Policy: require-corp

How to Scan Your Website

Using our Website Security Scanner:

1. Enter your domain name (e.g., example.com)
2. The scanner sends an HTTPS request to your site and captures all response headers
3. Each header is checked against OWASP recommendations
4. You receive a letter grade (A+ through F) with specific fixes for every missing or misconfigured header
5. Copy the suggested header values and add them to your server configuration

Alternatively, inspect headers manually with our HTTP Headers tool or check your SSL setup with the SSL Checker.

Common Misconfigurations

Implementation Guide by Server

Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; frame-ancestors 'none'"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Beyond Headers: Full Security Stack

Security headers are your first line of defense, but they are not the whole picture. A comprehensive security posture includes:

• SSL/TLS configuration: Modern cipher suites, TLS 1.2+ only, proper certificate chain. Check yours with the SSL Checker.
• Open port management: Close unnecessary ports. Scan for surprises with the Port Checker.
• IP reputation: Make sure your server IP is not on any blacklists with the IP Reputation Checker.
• Input validation and output encoding: Headers cannot fix injection vulnerabilities in your code.
• Dependency scanning: Keep libraries updated to patch known vulnerabilities.