We use cookies to improve your experience and analyze our traffic. By clicking "Accept", you consent to our use of cookies.

Back to Tools
7 Security Headers

Security Headers
Checker & Grade

Scan your website's HTTP security headers. Check for HSTS, CSP, X-Frame-Options, and more. Get an instant security grade.

HTTPS Check
7 Headers Analyzed
Instant Grade

Security Headers FAQ

What are HTTP security headers?
HTTP security headers are directives sent by a web server in response headers that tell browsers how to behave when handling your site's content. They protect against XSS, clickjacking, MIME sniffing, and other attacks.
Why are security headers important for SEO?
Google considers site security as a ranking factor. HTTPS is confirmed, and robust security practices signal trust. Security issues can also lead to browser warnings that increase bounce rates.
What is Content-Security-Policy (CSP)?
CSP is a powerful header that controls which resources (scripts, styles, images) can be loaded. It's the best defense against XSS attacks and is recommended by Google.
What is HSTS?
HTTP Strict Transport Security forces browsers to only use HTTPS. It prevents downgrade attacks and is essential for any site using SSL/TLS.

Want the full picture?

Run a comprehensive AI readiness audit including SEO, content helpfulness, schema, trust signals, and 50+ more factors.

Run Full AI Audit

About this tool

Security headers are the unglamorous part of SEO. Nobody writes guides about them, and they don't show up in any keyword research tool. But a missing HSTS header that lets a visitor's browser briefly serve your site over HTTP is the kind of thing that triggers a "Not Secure" warning in Chrome — which destroys conversion rate before any ranking signal even gets evaluated.

This checker looks for the six headers that actually matter in 2026: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. We grade each one A through F based on the value, not just presence — a CSP set to default-src * is technically present and effectively useless.

Two warnings before you go editing your nginx config. First: enabling HSTS with preload is a one-way door. Once you submit your domain to Chrome's HSTS preload list, the only way out is a multi-month delisting process. Second: a misconfigured CSP can break your site in ways that don't show up until a user with a specific browser version tries to load a specific resource. Test your CSP in Content-Security-Policy-Report-Only mode for at least a week before enforcing it.

Frequently asked questions

Do security headers affect SEO?+
Indirectly, yes. HTTPS is a confirmed ranking signal, and missing security headers can trigger browser warnings that destroy trust signals and increase bounce rate.
Which headers does the tool check?+
Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
What's the most important header to add?+
HSTS first — it forces HTTPS and prevents protocol-downgrade attacks. CSP second, but only after careful testing because a misconfigured CSP can break your site.
Will adding these headers slow my site?+
No. Security headers add a few hundred bytes to the response and have no measurable performance cost.

Related resources

More tools