Website Security Headers Check
Check the security headers on any public URL against the OWASP Secure Headers project. Per-header verdict plus an A-to-F grade you can take to your IT team.
Enter the URL of a public web page. We do an unauthenticated GET, follow up to 5 redirects, and grade the security headers in the final response.
We do not store URLs you check. Local, private, and reserved addresses are blocked at the API layer to prevent SSRF.
About the Website Security Headers Check
A website security headers check fetches your URL with an unauthenticated request and grades the security-relevant HTTP response headers against the OWASP Secure Headers project defaults. The headers it checks are HSTS (forces HTTPS on every visit), Content-Security-Policy (browser-side XSS defence), X-Frame-Options (clickjacking protection), X-Content-Type-Options (stops MIME-sniffing attacks), Referrer-Policy (controls cross-origin referrer leakage), Permissions-Policy (opts out of unused browser features like camera or geolocation), and Cross-Origin-Resource-Policy (limits cross-origin resource loading).
Each header has a different impact and a different difficulty to land. HSTS is a one-line config change with very high impact. CSP is the highest-impact header on the list but the most operationally expensive to land cleanly because every inline script and style needs a nonce or a hash. The grading bands here mirror the OWASP defaults, with a published per-header explainer so you can see exactly why each verdict was awarded and what to fix.
The check covers what is visible from outside on a single GET. It does not test internal headers, authenticated areas, or response headers that only appear on POST requests. For a full review of an estate's web-facing security headers across multiple paths, methods, and authenticated states, our network infrastructure assessment service runs the same checks at scale plus the manual review headers cannot catch.
Common questions
Is the headers check free?
Yes, the basic check is free and unlimited per URL you submit. We rate-limit per IP per minute to keep the service available.
Why does my CSP show as warn instead of pass?
The CSP grader looks for nonce + strict-dynamic with no unsafe-inline / unsafe-eval. Any unsafe-inline or unsafe-eval drops the verdict to warn because both significantly weaken XSS protection. A nonce-plus-strict-dynamic policy is the modern OWASP-recommended pattern.
Will the check trigger any alerts on my server?
It might. The fetch arrives as a GET with a NetSecGroup-HeadersCheck user-agent. If you operate a SOC or MDR service, expect the request to appear in your access logs.
How does this relate to Cyber Essentials?
Cyber Essentials's secure-configuration control covers web-server hardening. Security headers are part of that hardening surface. The CE+ assessor will check that your web-facing services serve sensible headers. This tool gives you a preview of what they will see.
What is the difference between a missing header and a fail?
Missing means the header is not in the response at all. Fail means the header is present but configured weakly (for example HSTS with a max-age below the OWASP minimum). Both score the same in the grade calculation.
Beyond the free check
Network Infrastructure Assessment
Full web-server hardening review across paths, methods, and authenticated areas, beyond what an unauthenticated GET can grade.
Learn moreWeb Application Security Testing
OWASP-aligned application-layer testing that complements header checks with business-logic and chained-attack coverage.
Learn moreCyber Essentials Plus
Government-backed certification that includes web-facing service hardening as part of the secure-configuration control.
Learn more