ZenovayTools

Security Headers Checker

Audit all 8 modern HTTP security headers — HSTS, CSP, Permissions-Policy, Referrer-Policy, X-Frame-Options, and more. Grade A-F with privacy data-flow implications.

How to Use Security Headers Checker

  1. 1Enter the URL of the website you want to audit.
  2. 2See all HTTP security headers (or missing ones) detected in the response.
  3. 3Review per-header analysis showing security and privacy implications.
  4. 4Follow the fix recommendations to improve your security grade.
Zenovay

Track your website performance

Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.

Try Zenovay Analytics — Free

Related Tools

Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.

Frequently Asked Questions

What HTTP security headers does this tool check?
This tool checks 8 key HTTP security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy (COOP), and X-XSS-Protection. Each header is analyzed for correctness and graded.
Why is Permissions-Policy a privacy issue?
Permissions-Policy controls which browser APIs (camera, microphone, geolocation, payment) can be accessed by your page and third-party scripts. Without it, advertising trackers loaded on your site can request location access from your users. Restricting these APIs with `geolocation=(), camera=(), microphone=()` prevents trackers from requesting sensitive permissions.
Why does Referrer-Policy matter for privacy?
Without Referrer-Policy, browsers send the full URL of every page (including path and query parameters like ?email=user@example.com) to every third-party resource — analytics tools, CDNs, and ad networks. Setting Referrer-Policy: strict-origin-when-cross-origin limits cross-origin referrer data to just the domain, preventing URL-based data leakage.
What is HSTS and why do I need it?
HTTP Strict Transport Security (HSTS) tells browsers that your site must be accessed over HTTPS only. Without it, an attacker on the same network can intercept HTTP connections (SSL stripping attack). Once HSTS is set with a long max-age, browsers will refuse to connect to your site over plain HTTP even if the user types 'http://' manually.
My CSP is missing — how do I create one?
CSP can be complex to get right. Start with `Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; upgrade-insecure-requests` and iterate. Use Report-Only mode first to test without breaking anything. The Mozilla Observatory and CSP Evaluator tools can help validate your policy.
What is X-Frame-Options and is it still needed?
X-Frame-Options prevents your site from being embedded in iframes on other domains (clickjacking protection). CSP's `frame-ancestors` directive is the modern replacement, but X-Frame-Options is still needed for older browsers. Use `X-Frame-Options: DENY` unless you need same-domain iframe embedding.
How do I add security headers to my site?
For Nginx: add headers in your server {} block. For Apache: use Header set directives in .htaccess or httpd.conf. For Cloudflare: use Transform Rules → Modify Response Headers. For Vercel/Netlify: use next.config.js headers() or netlify.toml. Most CDNs and hosting platforms support custom response headers.