Security Headers
Explained & Tested

The complete reference for HTTP security headers. Scan any site, learn implementation, protect against clickjacking and XSS attacks.

Check any website's security headers
We'll analyze X-Frame-Options, CSP, HSTS, and 10+ other security headers.
A+
Excellent
B
Good
C
Fair
D
Poor
F
Failing

Essential Security Headers

Click any header for implementation guides, examples, and best practices

Essential

X-Frame-Options

Prevents clickjacking attacks by controlling whether your site can be embedded in iframes on other domains.

X-Frame-Options: SAMEORIGIN Essential

Content-Security-Policy

The most powerful security header. Controls which resources can load, preventing XSS and data injection attacks.

Content-Security-Policy: default-src 'self' Essential

Strict-Transport-Security

Forces browsers to only connect via HTTPS, preventing protocol downgrade and cookie hijacking attacks.

Strict-Transport-Security: max-age=31536000 Recommended

X-Content-Type-Options

Prevents browsers from MIME-sniffing responses, reducing exposure to drive-by download attacks.

X-Content-Type-Options: nosniff Recommended

Referrer-Policy

Controls how much referrer information is sent with requests, protecting user privacy and sensitive URLs.

Referrer-Policy: strict-origin-when-cross-origin Recommended

Permissions-Policy

Controls which browser features (camera, microphone, geolocation) can be used by your site and embedded content.

Permissions-Policy: geolocation=(), camera=() Deprecated

X-XSS-Protection

Legacy XSS filter. Now deprecated in modern browsers—learn why and what to use instead.

X-XSS-Protection: 0 Recommended

Cross-Origin Headers

COOP, COEP, and CORP headers for cross-origin isolation. Required for SharedArrayBuffer and high-resolution timers.

Cross-Origin-Opener-Policy: same-origin

Quick Start Snippets

Copy-paste configs for your server

🟢 Nginx

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000";

🔴 Apache (.htaccess)

Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000"

⚡ Cloudflare (Transform Rules)

X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000

Why Security Headers Matter

🛡️

Prevent Clickjacking

Stop attackers from overlaying invisible iframes on your site to trick users into unintended actions.

🔒

Block XSS Attacks

CSP headers prevent malicious scripts from executing, even if an attacker finds an injection point.

Pass Security Audits

SOC 2, PCI-DSS, and penetration tests check for these headers. Get compliant faster.