SearchUnit
Free tool

Security Headers Scan

Analyze HSTS, CSP, X-Frame-Options, and key security headers — with per-header diagnostics and practical recommendations, no account required.

No data is stored or shared.

Understand the headers

What are security headers and why they matter

Security headers are HTTP instructions that tell the browser how to reduce risks like XSS, clickjacking, and referrer leakage. HSTS, CSP, X-Frame-Options, and Referrer-Policy are the most critical.

Advanced headers like Permissions-Policy, COOP, COEP, and CORP strengthen cross-origin isolation — important for modern apps and security maturity signals.

This tool evaluates only HTTP security headers observed in a single GET to the URL you provide (proxy evidence). It does not replace a full security audit or site-wide scan.

Why scan

Three good reasons to scan now

Protection against common attacks

CSP and X-Frame-Options mitigate XSS and clickjacking — frequent vectors on sites without basic hardening.

HTTPS and trust

HSTS enforces secure connections and signals technical maturity — a prerequisite for any security header to matter.

Clear, actionable score

0–100 score with an A+ to F grade and per-header recommendations — fix critical issues before advanced headers.

How it works

Diagnosis in three steps

  1. Enter the URL

    Type the site address. Accepts example.com, www, or a full http/https URL.

  2. We analyze the headers

    We fetch the URL via a secure proxy and evaluate 10 security headers with deterministic rules.

  3. Get your score and fixes

    See score, grade (A+ to F), and a table with found values and recommendations per header.

FAQ

Security headers questions

How does the A+ to F grade work?

Inspired by the MDN HTTP Observatory: we start at 100 points, apply penalties for missing or misconfigured headers, and add bonuses for extra hardening. Grades run A+ through F (A+, A, B+, B, C+, C, D+, D, F). A+ requires a score of 100 with all 9 security headers passing. Plain HTTP gets F; an unfollowed redirect gets R.

Why test the final URL?

The scan reads only headers from the final response after redirects the proxy follows. HSTS often appears on the first HTTPS hop — use your canonical site URL.

Does CSP Report-Only count?

Not for pass. Content-Security-Policy-Report-Only only reports violations — no enforcement. Sites with Report-Only only get warn, not pass.

Does X-Frame-Options still matter with CSP?

If enforcement CSP includes frame-ancestors, X-Frame-Options is obsolete (shcheck rule). Otherwise DENY or SAMEORIGIN is still required.

Why don't deprecated headers appear?

X-XSS-Protection, Expect-CT, and HPKP are obsolete and confusing. We focus on the 10 live headers recommended by OWASP.

Can I get A without COOP/COEP/CORP?

Yes. Missing advanced headers cause light warns (-5 each). B+ (≥80) is possible with perfect HSTS, CSP, XFO, XCTO, and Referrer; A+ requires a score of 100 and all 9 checks passing.

How is this different from AI Visibility Check?

AI Visibility Check scores security headers in aggregate for the GEO Score (simple count). This tool analyzes each header's value and quality with a dedicated score and A+ to F grade.

Want a full site audit?

This tool is in testing. Register your interest and we'll notify you when the tool launches.

We'll only use your email to notify you about the launch.