ipstatus.com

HTTP security headers check

Fetch a URL's response headers and grade its security headers (CSP, HSTS, etc.).

What security headers do

Security headers are instructions your server sends to the browser. They opt into protections the browser can enforce: where scripts are allowed to load from, whether the page can be framed by another site, whether HTTPS should always be used. They add no latency and require no changes to application code. It is usually a single line in your server or CDN config.

What each header does

Strict-Transport-Security (HSTS) tells browsers to always connect over HTTPS, even if the user types http://. Without it, a first visit over HTTP can be intercepted and downgraded before the server ever redirects to HTTPS.

Content-Security-Policy (CSP) defines where scripts, styles, and other resources are allowed to load from. A tight policy means an attacker who finds an XSS vulnerability still cannot run arbitrary code, because the browser will refuse to execute it.

X-Frame-Options prevents your page from being embedded in an iframe on another site. Without it, an attacker can overlay your page transparently and trick users into clicking things they cannot see, a technique called clickjacking.

X-Content-Type-Options: nosniff stops browsers from guessing the content type of a response. Without it, some older browsers would sometimes execute uploaded files as scripts if they contained code-like bytes.

Referrer-Policy controls how much of your current URL is sent to other sites when a user clicks a link. Without it, full URLs including query parameters and tokens can leak to third parties.

Permissions-Policy disables browser APIs the page does not need. Setting camera=(), microphone=(), geolocation=() means those APIs cannot be activated by injected scripts or third-party ads loaded on the page.

How the grade is calculated

One point per header present, out of six. A = all 6, B = 5, C = 4, D = 3, F = fewer than 3. The grade reflects presence only, not whether the values are strict. A permissive CSP still counts as present. Check the actual header values in the results for a complete picture.

Which tool do you wish existed?

No spam, no list-sharing. Just product feedback.

Related tools

Blocklist check

Check an IP against dozens of DNS blocklists (Spamhaus, SORBS, Barracuda and more).

Port scanner

Scan common TCP ports on a host you own to see what is open and reachable.

SSL check

Inspect a site's TLS certificate: validity, expiry, issuer and chain.