What is Content-Security-Policy (CSP)?

Content-Security-Policy is an HTTP response header that tells the browser which sources of scripts, styles, images, and other resources are trusted. A well-configured CSP is the primary defence against cross-site scripting (XSS) attacks — it prevents an injected script from running even if an attacker manages to insert it into your page. A missing CSP does not mean your site is broken; it means the browser will execute any script it finds, including injected ones.

What is HTTP Strict-Transport-Security (HSTS)?

Strict-Transport-Security (HSTS) instructs browsers to always use HTTPS for a domain, even if the user types http:// or follows an unencrypted link. Without HSTS, an attacker on a shared network can intercept the initial HTTP request before the server redirects to HTTPS — a "SSL stripping" attack. A valid HSTS header includes max-age (how long to enforce HTTPS, typically at least 1 year), and optionally includeSubDomains and preload.

What does a grade A mean in this checker?

Grade A means all six scored security headers are present: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The grade is purely presence-based — it does not evaluate the strictness of each header value. A CSP of "default-src *" counts as present. Use this checker as a first pass; a full pentes.io scan evaluates the quality of header values as part of its findings.

Does checking my URL send data to the target?

The checker makes a single HTTP HEAD request (or a GET request if HEAD does not return headers) to the URL you enter — the same request a browser makes when loading any page. No payloads are sent, no authentication is tested, and no data beyond the URL is transmitted to the target server.

What should I do if security headers are missing?

Set missing headers at the web server or CDN layer so they apply to every response. For nginx, add add_header directives to your server or location block. For Netlify, use the _headers file. For Vercel, use the headers array in vercel.json. Start with Strict-Transport-Security (HSTS), X-Frame-Options: DENY, and X-Content-Type-Options: nosniff — these three are the safest to add without risk of breaking your site. CSP requires more care: start with Content-Security-Policy-Report-Only to observe violations before enforcing.

HTTP Security Headers Checker — Free Instant Test

What this checker tests

This tool makes a passive HTTP request to your URL and reads the response headers. It scores six security headers:

Header	Why it matters
`Content-Security-Policy`	Restricts which scripts, styles, and resources the browser will execute. Primary XSS mitigation.
`Strict-Transport-Security`	Forces HTTPS on all future visits; prevents SSL-stripping on hostile networks.
`X-Frame-Options`	Prevents your page from being embedded in an iframe — blocks clickjacking attacks.
`X-Content-Type-Options`	Stops browsers from MIME-sniffing responses — prevents drive-by download attacks via crafted responses.
`Referrer-Policy`	Controls how much of the current URL is sent in the Referer header to third-party sites.
`Permissions-Policy`	Restricts access to browser APIs (camera, microphone, geolocation, payment) for your page and its iframes.

Grade rubric

The grade is based on how many of the six headers are present in the response:

A — all 6 headers present
B — 5 of 6 present
C — 4 of 6 present
D — 3 of 6 present
F — fewer than 3 present

The grade does not evaluate the strictness of header values — a permissive CSP counts the same as a strict one. This is a presence check; for a quality analysis, run a full pentes.io scan.

Trust and differentiators

No account required. Results are not stored. The check is passive — one HTTP request to your URL, header inspection only, no body read. Safe to run against production.

For continuous monitoring — alerts when headers change or degrade — create a free pentes.io account. The free tier includes 5 scans per month with LLM-triaged findings and a downloadable report.

See all free security tools or read the AI-generated code security checklist for the broader surface to check.

What this checker tests

Grade rubric

Trust and differentiators

Monitor your headers continuously