DevBolt
Processed in your browser. Your data never leaves your device.

How to Audit Your Security Headers

Not sure if your site has the right security headers? This guide walks you through checking your current headers, identifying gaps, and fixing common issues across Nginx, Apache, Vercel, Netlify, and Cloudflare.

Security Headers Generator

Generate and analyze HTTP security headers for Nginx, Apache, Vercel, Netlify, and Cloudflare. Visual builder with presets and security scoring.

Strict-Transport-Security (HSTS)

Critical

X-Content-Type-Options

High

Always set to nosniff — no configuration needed.

X-Frame-Options

High

Referrer-Policy

Medium

Permissions-Policy

Medium
Camera
Microphone
Geolocation
Payment
USB
Gyroscope
Magnetometer
Accelerometer
Autoplay
Fullscreen

Content-Security-Policy

Critical

Cross-Origin-Opener-Policy

Medium

Cross-Origin-Embedder-Policy

Medium

Cross-Origin-Resource-Policy

Medium

X-XSS-Protection

Low

Set to 0 to disable the legacy XSS auditor (modern best practice). Use CSP instead.

X-DNS-Prefetch-Control

Low

X-Permitted-Cross-Domain-Policies

Low

Security Score

C
6 headers enabled68/100
X-Frame-Options: DENY — page cannot be embedded in any iframe
Content-Security-Policy not set — no protection against XSS and injection attacks. Use the CSP Header Builder for detailed configuration.

Output Format

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), gyroscope=(), magnetometer=(), accelerometer=(), autoplay=(), fullscreen=(self)
X-XSS-Protection: 0
6
Headers
C
Grade
347
Bytes

Related Guides

HSTS Guide

How Strict-Transport-Security works, preload lists, and deployment best practices.

Security Headers Explained

Complete guide to every HTTP security header and when to use each one.

Security Headers Checker

How to audit your site's security headers and fix common issues.

Checking headers with browser DevTools

Open Chrome DevTools (F12) → Network tab → click any request → Headers tab → scroll to Response Headers. Look for Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy. Missing headers mean the browser uses permissive defaults, leaving your site exposed.

// JavaScript — check security headers of a URL
async function checkHeaders(url) {
  const res = await fetch(url, { method: "HEAD" });
  const required = [
    "strict-transport-security",
    "content-security-policy",
    "x-content-type-options",
    "x-frame-options",
    "referrer-policy",
    "permissions-policy"
  ];
  return required.map(h => ({
    header: h,
    present: res.headers.has(h),
    value: res.headers.get(h) || "missing"
  }));
}

// Note: fetch() cannot read all headers cross-origin
// Use curl or server-side check for full analysis

Common issues and fixes

Missing HSTS: Add Strict-Transport-Security header after confirming HTTPS works on all pages and subdomains. Missing X-Content-Type-Options: Always add nosniff — it has no side effects. X-Frame-Options ALLOW-FROM: Deprecated in most browsers — use CSP frame-ancestors instead. X-XSS-Protection: 1: Deprecated and can introduce vulnerabilities — set to 0 and use CSP.

Platform-specific configuration

Nginx: Use add_header directives in server blocks (add 'always' flag for error pages). Apache: Use Header directives in .htaccess or httpd.conf. Vercel: Add headers array in vercel.json. Netlify: Create a _headers file in publish directory. Cloudflare: Use Transform Rules or _headers file with Pages. Each platform has different syntax — use the generator above to get the right format.

Frequently Asked Questions

What grade should my security headers get?

Aim for an A or A+ grade. This means having at minimum HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and ideally CSP and Permissions-Policy. An A+ requires a strong CSP without unsafe-inline or unsafe-eval.

Do CDNs strip security headers?

Most CDNs preserve origin headers, but some may strip or override specific headers. Cloudflare preserves all custom headers. AWS CloudFront requires explicit header forwarding. Always verify headers are present after CDN deployment.

Should I set security headers on API responses too?

Yes. APIs should set X-Content-Type-Options: nosniff, Strict-Transport-Security, and a restrictive CSP (default-src 'none'). X-Frame-Options: DENY is also recommended since API responses should never be framed.

Related tools

HSTS GuideSecurity Headers Explained← All Security Headers Generator features

Related Generate Tools

NGX

Nginx Config Generator

Generate nginx configuration files — server blocks, SSL, reverse proxy, gzip, load balancing, and security headers

Aa

ASCII Art Text Generator

Convert text into ASCII art with 7 font styles — banner, block, shadow, slim, star, dot, lines — with comment wrapping for code

R.*

Regex Generator

Generate regex patterns by describing what you need — 60+ curated patterns, visual composer, live tester, and pattern explanations

GIT

Git Command Builder

Build git commands visually with an interactive builder — branching, merging, rebasing, stashing, tags, and 80+ cheat sheet entries