How to check security headers
HTTP security headers are response headers that help browsers enforce safer behaviour for your website.
Headers worth reviewing
Strict-Transport-Security (HSTS) tells browsers to use HTTPS. Content-Security-Policy (CSP) reduces script injection risk. X-Frame-Options or CSP frame-ancestors helps prevent clickjacking. X-Content-Type-Options stops MIME sniffing.
Referrer-Policy controls how much URL information is sent to other sites. Permissions-Policy can disable browser features your site does not need. Cross-origin headers can isolate pages that need stricter browser boundaries.
How to interpret warnings
A missing header is not always a critical vulnerability, but it is a prompt to review the site type and browser protections you need. Start with HTTPS and HSTS, add CSP carefully in report-only mode, then tighten framing, content sniffing, and referrer behaviour.
How NerdTools helps
The security headers checker follows redirects, reports the final URL, and summarises missing or weak headers with plain-language advisories.
FAQ
Can CSP break a site?
Yes. Deploy CSP carefully, preferably with Content-Security-Policy-Report-Only first, then enforce after reviewing reports.
Do I need X-Frame-Options if I use CSP?
CSP frame-ancestors is the modern control, but many sites keep X-Frame-Options for older browser compatibility.
Should every HTTPS site use HSTS?
Most production HTTPS sites should use HSTS after confirming all required subdomains and resources work over HTTPS.