block 2 · online
osint/lab
Log inSign up
Security Headers Checker · dev-docs

Security Headers Checker: Overview

Understand what the HTTP security headers on a public URL do — and what they don't.

status
Published
slug
overview
published
Apr 20, 2026
Security Headers Checker

Security Headers Checker: Overview

The Security Headers Checker fetches a public URL and reports which HTTP response headers are present, which are missing, and — where possible — whether their values look reasonable.

What it checks

  • Strict-Transport-Security (HSTS) — forces HTTPS for future visits.
  • Content-Security-Policy (CSP) — limits what scripts, styles and frames the page can load.
  • X-Frame-Options / frame-ancestors — limits who can embed the page in an iframe.
  • X-Content-Type-Options — disables MIME sniffing.
  • Referrer-Policy — controls what the browser sends in the Referer header.
  • Permissions-Policy — restricts browser APIs (camera, geolocation, etc.).

What it is not

It is not a vulnerability scanner and it does not execute JavaScript. A site with all headers present can still be insecure; a site with none can still be perfectly safe in practice. Use this checker as one signal among many, not a verdict.

last published Apr 20, 2026