Security check

Security headers: the simplest security win you can measure

The right HTTP security headers stop whole classes of attacks — clickjacking, protocol downgrade, mixed content. We check your headers and show exactly what's missing and why it matters.

Run a free domain scan All checks →
Relates to: NIS2 · art. 21 — operational security ISO 27001 · A.8.9 configuration management OWASP · Secure Headers Project

What we check

We fetch your response headers and check HSTS (and preload), Content-Security-Policy, X-Frame-Options/frame-ancestors, X-Content-Type-Options, Referrer-Policy and CORS configuration — plus that sensitive headers don't leak server versions.

Why it matters

Security headers are cheap to set and stop real attacks: HSTS prevents downgrade to HTTP, CSP limits XSS, X-Frame-Options stops clickjacking. Their absence is also one of the most common findings in a technical audit.

How Security Guru tests it

Common mistakes

  • HSTS with short max-age or without includeSubDomains
  • No CSP at all — the most common gap
  • Access-Control-Allow-Origin: * together with credentials
  • Server/framework version leaking in headers

What you get in the report

  • Each header: set/missing/misconfigured, with the exact value
  • Recommended value to set per header
  • Prioritisation by which attack it actually stops
  • Mapping to OWASP Secure Headers / ISO A.8.9

FAQ

Does it affect my site?

The check is passive — we only read response headers from your public endpoint. No changes are made.

Is CSP hard?

Getting started is easy; locking it down tightly takes iteration. We give you a starter policy and point out what protects most first.

What matters most?

HSTS and X-Content-Type-Options are easiest to set; CSP gives the most protection but takes the most work. The report prioritises for you.

Want to know your status?

Run a free scan or order a full Security Assessment — prioritised, not noise.

Run a free domain scan