LastHash Logo
Free Security Headers Check

Security Headers ScannerGrade Your HTTP Security Headers

Check if your website is protected with the correct HTTP security headers. Get instant analysis and fix recommendations.

Used by security professionals and web developers.

Instant Analysis
Detailed Fix Guide
100% Free Check

How It Works

1

Enter Website

Simply type your website URL into the scanner

2

Analyze HTTP Headers

We check all essential security headers including:

  • Content Security Policy (CSP)
  • Strict Transport Security (HSTS)
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy
3

Get Security Score

Receive a grade with detailed fix recommendations

What We Check

Content Security Policy

Prevents XSS attacks by controlling resource loading

Strict Transport Security

Forces secure HTTPS connections to prevent downgrade attacks

X-Frame-Options

Protects against clickjacking by controlling iframe embedding

X-Content-Type-Options

Prevents MIME-type sniffing vulnerabilities

Referrer Policy

Controls what referrer information is sent with requests

Permissions Policy

Controls browser feature access (camera, microphone, etc.)

See What You Get

Detailed security report with risk score, issues found, and actionable recommendations

Security Report

example.com

85
SECURITY GRADE: B
Content Security Policy: Missing
HSTS: Enabled (max-age: 31536000)
X-Frame-Options: DENY
Scan Your Website Now

How to Add Security Headers

Apache Configuration

Add these lines to your .htaccess or Apache config file:

Header set Content-Security-Policy "default-src 'self'"
Header set Strict-Transport-Security "max-age=31536000"
Header set X-Frame-Options "DENY"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"

Nginx Configuration

Add these lines to your nginx.conf or server block:

add_header Content-Security-Policy "default-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Cloudflare Setup

Configure security headers in Cloudflare Transform Rules → Modify Response Header

View Cloudflare Documentation →

Security headers change. Monitor them continuously.

Monitor Your Website Security

Get alerts when security headers are removed or misconfigured

Public Check

  • One-time check
  • No monitoring
  • Manual rescans

Free Account Includes:

Stay protected 24/7

  • Continuous monitoring
  • Header change alerts
  • Scheduled scans
  • Detailed reports
Create Free AccountView Pricing

Improve your security grade. Protect against common web attacks.

HTTP Security Headers Monitoring Platform