How do I add security headers to my website?

Security headers are configured at the web server level. In Nginx, add them to your server block with add_header directives. In Apache, use the Header set directive in .htaccess or httpd.conf. In Laravel, you can add them via middleware. Most CDNs like Cloudflare also let you set security headers through their dashboard.

What is a good security headers grade?

An A grade means all 7 headers are properly configured. Most sites score C or D because they're missing CSP and Permissions-Policy. At minimum, aim for a B by configuring HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy — these are quick wins that take minutes to set up.

Is Content-Security-Policy required?

CSP is not technically required but is strongly recommended. It is the most powerful security header available, providing protection against XSS, data injection, and clickjacking. Start with a report-only policy to understand what your site loads, then enforce it gradually.

Why is X-XSS-Protection deprecated?

The X-XSS-Protection header relied on browser-built-in XSS auditors, which were found to introduce their own vulnerabilities. Chrome removed its XSS auditor in 2019, and other browsers followed. Content-Security-Policy is the modern replacement for XSS protection. Setting X-XSS-Protection: 0 is now the recommended approach if you include the header at all.

Does this tool scan my site for vulnerabilities?

No. This tool only examines your HTTP response headers — it does not scan for application vulnerabilities, test for injection flaws, or access any non-public resources. It sends a single standard HTTP request, the same as any browser would make. For comprehensive security monitoring including 30+ checks, try StackShield's free trial.

Free Security Headers Checker

Analyze your website's HTTP security headers in seconds. Get an A-F grade with actionable recommendations.

Analyzing security headers...

Fetching and evaluating 7 HTTP security headers.

7 Headers We Analyze

Each header protects against a different class of attack. Here's what we check and why it matters.

Strict-Transport-Security

HSTS

Forces HTTPS connections, preventing protocol downgrade attacks and cookie hijacking. A must-have for any site handling sensitive data.

Content-Security-Policy

CSP

Controls which resources browsers can load, providing the strongest defense against XSS and data injection attacks.

X-Frame-Options

Clickjacking

Prevents your site from being embedded in iframes on malicious pages, blocking clickjacking attacks.

X-Content-Type-Options

MIME Sniffing

Stops browsers from guessing content types, preventing attackers from tricking browsers into executing malicious files.

Permissions-Policy

Feature Control

Restricts which browser features (camera, microphone, geolocation) your site can access, reducing attack surface.

Referrer-Policy

Privacy

Controls how much URL information is shared when users navigate away, protecting sensitive paths and query strings.

X-XSS-Protection

Legacy

A deprecated header that once activated browser XSS filters. Modern best practice is to rely on CSP instead. We check you're not misconfiguring it.

Get Your Full Security Headers Report

Weekly tips on security headers, CSP configuration, and web hardening best practices.

Frequently Asked Questions

What are HTTP security headers?

HTTP security headers are directives sent by your web server that tell browsers how to handle your content securely. They protect against common attacks like clickjacking, XSS, MIME sniffing, and protocol downgrades. Most take only a few minutes to configure.

How do I add security headers?

In Nginx, use add_header directives in your server block. In Apache, use Header set in .htaccess. In Laravel, create middleware that sets headers on responses. CDNs like Cloudflare also support configuring headers through their dashboard.

What grade should I aim for?

Aim for at least a B. An A requires all 7 headers properly configured, including Content-Security-Policy which can be complex to set up. Start with the quick wins: HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy can all be added in minutes.

Is Content-Security-Policy difficult to set up?

CSP can be complex for sites with many third-party scripts. Start with Content-Security-Policy-Report-Only to see what would be blocked without breaking anything. Once you understand your site's requirements, switch to enforcing mode.

Does this tool access my private data?

No. We send a single standard HTTP GET request — exactly what any browser does when visiting your site. We only read the response headers. We don't scan for vulnerabilities, test login forms, or access non-public resources.

How is this different from the free scanner?

The free scanner checks for Laravel-specific issues like debug mode, exposed .env files, and missing headers. This tool provides a deep-dive specifically on security headers with per-header grading and fix recommendations.

Monitor Headers Continuously

Headers can regress after deployments. StackShield monitors your security headers (and 29 other checks) automatically and alerts you when something changes.

Start Free Trial View Pricing

No credit card required. 14-day free trial on all plans.