Blog›Security

How to Check Website Security Headers (Free Online Tool, No Login)

HTTP security headers are invisible signals your server sends to browsers. Most websites are missing at least two. Here's how to check yours for free — and what to do if they're missing.

May 18, 2026·8 min read·AuditAI Team

Security headers are HTTP response headers that your web server sends alongside every page. They tell the browser how to behave — whether to allow iframes, which scripts to trust, and whether to enforce HTTPS. They don't affect how your site looks, but they're one of the most important layers of defence against web attacks.

The good news: checking your website's security headers is free and takes under 30 seconds with AuditAI — no login, no signup required. You get a security score and AI-generated fixes for every missing header.

How to Check Your Security Headers (3 Steps)

Go to auditai.fyi — no account needed
Enter your website URL and click "Scan Site"
Open the Security tab in your results — you'll see which headers are present ✓ and which are missing ✗, with an overall security score

Pro tip

You can also check headers manually using your browser's DevTools → Network tab → click any request → scroll to "Response Headers". But AuditAI's free website security audit is faster and checks all 13+ headers at once with instant AI-generated fix suggestions.

The 6 Security Headers Every Website Should Have

Content-Security-Policy (CSP)Critical risk if missing

What it does

Tells the browser which sources are allowed to load scripts, styles, images, and fonts on your page.

Why it matters

Without CSP, attackers can inject malicious scripts into your site (Cross-Site Scripting / XSS). It's one of the most powerful defences against XSS attacks.

How to add it

Add a Content-Security-Policy header on your server. Start with: Content-Security-Policy: default-src 'self'

Strict-Transport-Security (HSTS)High risk if missing

What it does

Instructs browsers to only connect to your site over HTTPS — even if the user types http://.

Why it matters

Without HSTS, users are vulnerable to SSL-stripping attacks where an attacker downgrades their connection to unencrypted HTTP.

How to add it

Add: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

X-Frame-OptionsHigh risk if missing

What it does

Prevents your page from being embedded inside an iframe on another domain.

Why it matters

Without it, attackers can use clickjacking — overlaying your page invisibly inside their site to trick users into clicking things they didn't intend to.

How to add it

Add: X-Frame-Options: DENY (or SAMEORIGIN if you need iframes on your own domain)

X-Content-Type-OptionsMedium risk if missing

What it does

Stops browsers from guessing (sniffing) the MIME type of a response.

Why it matters

MIME type confusion can allow attackers to serve malicious content as a trusted file type.

How to add it

Add: X-Content-Type-Options: nosniff

Referrer-PolicyMedium risk if missing

What it does

Controls how much referrer information is sent when a user navigates away from your page.

Why it matters

Without it, sensitive URL parameters (session tokens, user IDs) can leak to third-party sites via the Referer header.

How to add it

Add: Referrer-Policy: strict-origin-when-cross-origin

Permissions-PolicyMedium risk if missing

What it does

Controls which browser features (camera, microphone, geolocation) can be used on your page and by embedded iframes.

Why it matters

Limits the blast radius if your site is ever compromised — an attacker can't secretly access the user's camera or location.

How to add it

Add: Permissions-Policy: camera=(), microphone=(), geolocation=()

How to Add Security Headers to Your Website

How you add security headers depends on your server or hosting environment:

Nginx

add_header Content-Security-Policy "default-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache (.htaccess)

Header always set Content-Security-Policy "default-src 'self'"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Next.js (next.config.ts)

headers: async () => [{
  source: "/(.*)",
  headers: [
    { key: "X-Frame-Options", value: "DENY" },
    { key: "X-Content-Type-Options", value: "nosniff" },
    { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
  ],
}]

After Adding Headers: Verify with a Free Security Check

Once you've added your headers, re-run your free website security audit at auditai.fyito confirm they're being sent correctly. AuditAI checks all 13+ security headers and shows the actual values your server is returning — so you can spot any configuration errors immediately.

Check Your Security Headers Free

Run a free website security audit at auditai.fyi — no login required. Get your security score, see which headers are missing, and get AI-generated fix code in under 30 seconds.

Check Security Headers Free →

→ Website Security Audit Checklist 2026 → What Is a Website Audit? Complete Guide → GDPR Compliance Checklist for Websites → Technical SEO Audit Checklist 2026

How to Check Your Security Headers (3 Steps)

Go to auditai.fyi — no account needed

Enter your website URL and click "Scan Site"

Open the Security tab in your results — you'll see which headers are present ✓ and which are missing ✗, with an overall security score

Pro tip

The 6 Security Headers Every Website Should Have

Content-Security-Policy (CSP)Critical risk if missing

What it does

Tells the browser which sources are allowed to load scripts, styles, images, and fonts on your page.

Why it matters

Without CSP, attackers can inject malicious scripts into your site (Cross-Site Scripting / XSS). It's one of the most powerful defences against XSS attacks.

How to add it

Add a Content-Security-Policy header on your server. Start with: Content-Security-Policy: default-src 'self'

Strict-Transport-Security (HSTS)High risk if missing

What it does

Instructs browsers to only connect to your site over HTTPS — even if the user types http://.

Why it matters

Without HSTS, users are vulnerable to SSL-stripping attacks where an attacker downgrades their connection to unencrypted HTTP.

How to add it

Add: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

X-Frame-OptionsHigh risk if missing

What it does

Prevents your page from being embedded inside an iframe on another domain.

Why it matters

Without it, attackers can use clickjacking — overlaying your page invisibly inside their site to trick users into clicking things they didn't intend to.

How to add it

Add: X-Frame-Options: DENY (or SAMEORIGIN if you need iframes on your own domain)

X-Content-Type-OptionsMedium risk if missing

What it does

Stops browsers from guessing (sniffing) the MIME type of a response.

Why it matters

MIME type confusion can allow attackers to serve malicious content as a trusted file type.

How to add it

Add: X-Content-Type-Options: nosniff

Referrer-PolicyMedium risk if missing

What it does

Controls how much referrer information is sent when a user navigates away from your page.

Why it matters

Without it, sensitive URL parameters (session tokens, user IDs) can leak to third-party sites via the Referer header.

How to add it

Add: Referrer-Policy: strict-origin-when-cross-origin

Permissions-PolicyMedium risk if missing

What it does

Controls which browser features (camera, microphone, geolocation) can be used on your page and by embedded iframes.

Why it matters

Limits the blast radius if your site is ever compromised — an attacker can't secretly access the user's camera or location.

How to add it

Add: Permissions-Policy: camera=(), microphone=(), geolocation=()

How to Add Security Headers to Your Website

How you add security headers depends on your server or hosting environment:

Nginx

add_header Content-Security-Policy "default-src 'self'" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache (.htaccess)

Header always set Content-Security-Policy "default-src 'self'" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set X-Frame-Options "DENY" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin"

Next.js (next.config.ts)

headers: async () => [{ source: "/(.*)", headers: [ { key: "X-Frame-Options", value: "DENY" }, { key: "X-Content-Type-Options", value: "nosniff" }, { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" }, ], }]

After Adding Headers: Verify with a Free Security Check

Check Your Security Headers Free

Run a free website security audit at auditai.fyi — no login required. Get your security score, see which headers are missing, and get AI-generated fix code in under 30 seconds.

Check Security Headers Free →