InspectWP Logo

HTTP Security Header Checker for your website

URL
Please provide a valid URL (https://www.example.com).
HTTP Basic Auth For password-protected websites (.htaccess)
Premium Plan Feature
Upgrade

Security headers automatically audited against best practices

HTTP header audit – 100% online and free
Thousands of website owners trust InspectWP for their security header check

Which security headers does the check cover?

Content-Security-Policy (CSP) including directive audit
Strict-Transport-Security (HSTS) & max-age
X-Frame-Options & clickjacking protection
X-Content-Type-Options & MIME sniffing
Referrer-Policy & Permissions-Policy
Cross-Origin headers (COOP, COEP, CORP)

How the HTTP security header check works

4 steps to a complete header analysis

  1. 1 Step 1

    Enter the URL

    Submit your website URL – we analyse any publicly reachable URL with no setup needed.

  2. 2 Step 2

    Run the header analysis

    We send requests to your server and log every HTTP response header that comes back.

  3. 3 Step 3

    Read the rating

    You see which security headers are set, which are missing and how they should be configured.

  4. 4 Step 4

    Set headers correctly

    Apply the recommended values for CSP, HSTS, X-Frame-Options & co. in your web server or framework.

All security headers at a glance

Which header protects against what – and how should it be configured?

Header Protects against Recommendation
Content-Security-Policy XSS, code injection strict CSP with nonces
Strict-Transport-Security protocol downgrade to HTTP max-age=31536000; includeSubDomains; preload
X-Frame-Options clickjacking DENY / CSP frame-ancestors
X-Content-Type-Options MIME sniffing nosniff
Referrer-Policy data leak via Referer strict-origin-when-cross-origin
Permissions-Policy browser feature abuse restrictive per feature
Cross-Origin-Opener-Policy Spectre, cross-origin leaks same-origin
Cross-Origin-Embedder-Policy cross-origin resource leaks require-corp
Security header audit – HTTP header check

Harden your website with the HTTP security header checker

With the InspectWP header check you can see in seconds which security headers are set and where the gaps are. The audit reviews all relevant HTTP response headers against current best practices: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and the Cross-Origin headers. You instantly see which headers are missing or insecurely configured.

HTTP header check – fast, complete and independent

Our tool sends a real request to your website and reads every HTTP response header. Unlike static online header scanners, the audit also accounts for dynamic headers that are only set on certain pages and compares the configuration to OWASP and Mozilla recommendations. The result is a concrete to-do list – including example configurations.

HTTP header check – analyze header configuration

Thousands of website owners trust InspectWP

The numbers speak for themselves

0+
Websites analyzed
0+
Plugins detected
0+
Themes detected

Frequently asked security header questions

Everything you need to know about the security header audit

InspectWP requests your website and reads every HTTP response header the server returns. These are checked against current best practices from OWASP and Mozilla, giving you a clear overview of which headers are set, missing or weakly configured.

More tools you might need

These checks cover related topics

Your registration could not be saved. Please try again.
Your registration was successful.

Newsletter

Subscribe to our newsletter to stay up to date.

We use Sendinblue as our marketing platform. By completing and submitting the form, you acknowledge that the information you have provided will be sent to Sendinblue for processing in accordance with Terms of Use.