Scan your Website for HTTP Content Security Headers

Find out if your website is at risk and have not enabled the key Content Security Headers.

Scan your HTTP response headers and find out which HTTP response headers you are missing.

Read more about how to deploy the missing HTTP security headers easily.

Scan your site to find out if it has secure headers to restrict and prevent web browsers running avoidable vulnerabilities

Content Security Policy deployed by headers is a strong way to improve the security of your site and protect from XSS attacks.

It can help secure the web browser from loading vulnerable assets from remote sites.

The popular security headers are:

  • X-Frame-Options             SAMEORIGIN
  • Strict-Transport-Security              max-age=31536000; includeSubDomains
  • X-Xss-Protection              1; mode=block
  • X-Content-Type-Options              nosniff
  • Content-Security-Policy
  • Referrer-Policy
  • Scan your site for free to find out if you have the Security Headers enabled: Get a free vulnerability scan here.

The different Security Headers includes:


The Content Security Policy Security Header can help secure your website from XSS attacks.

You can set whitelisted sources of authorized content.

This way you can make sure the browser do not load dangerous content.


The Security Header allows website security administrator to control resources the user agent can be allowed to load on a given page.

This can help protect against Cross Site Scripting attacks XSS.

Fix by adding to your site: header("Content-Security-Policy: block-all-mixed-content; script-src 'self' ");


X-Frame-Options is used to communicate to the web browser if you want to allow your site to be framed or not.

Preventing the web browser from farming your site to defend against attacks such as clickjacking.

The X-Frame-Options header can be used to if a web browser is allowed to render a page in a <frame>, <object>, or <iframe>.

It is recommended to enable this check in penetration testing process.

Fix by adding to your site: header("X-Frame-Options: SAMEORIGIN");


X-XSS-Protection security header. It allows to enable XSS Cross Site Scripting protection that is included in most modern web browsers.

So this must be enabled.

The most comprehensive header to set is:

"X-XSS-Protection: 1; mode=block".

The HTTP X-XSS-Protection response security header is supported by Safari, Firefox, Internet Explorer IE and Chrome web browsers.

It is designed to stop pages from loading when reflected cross site scripting XSS is detected to prevent attacks. It can be said it is unnecessary in most modern browsers if sites implement a strong Content-Security-Policy to disable use of inline JavaScript it is still recommended to enable this tag.

Fix by adding to your site: header("X-Xss-Protection: 1; mode=block");


X-Content-Type-Options Security Header is used to prevent a browser from trying to MIME sniff the sensitive content type & forces the browser to use the declared content-type.

The HTTP Security header can be utilized to set the MIME types.

That are advertised in the Content-Type headers to not be changed.

This can prevent MIME type sniffing.

The header was first introduced by Microsoft in Internet Explorer IE 8 to allows webmasters block content sniffing that could transform non-executable MIME types into executable MIME type.

Other web browsers have introduced it as well.

It is recommended by penetration testing process to expect this header to be set.

The only valid value you can set for for this header is "X-Content-Type-Options: nosniff".

Fix by adding to your site: header("X-Content-Type-Options: nosniff");


The Referrer Policy is a newer security header that allows a website to control the amount of information the web browser is sending with navigation away from a document.

It is highly recommended to set on all sites.

The header protects which referrer information sent in Referer requests made.

Fix by adding to your site: header("Referrer-Policy: strict-origin-when-cross-origin,no-referrer");


The HTTP Web Security Header Strict Transport Security is a recommended feature to increase the security on your website and strengthens your implementation of TLS by forcing the User Agent to use  HTTPS. 

It is often know as HSTS that forces the web site to make the web browsers know it should be accessed only by using HTTPS instead of the insecure HTTP.

Fix by adding to your site: header("Strict-Transport-Security: max-age=31536000; includeSubDomains");

Web Security Headers are a subset of the Web HTTP response headers

When they are sent by the web server to the web browser it allow for specific web applications to tell the web browser to enable and configure specific security related features.

Here the most important Security Headers are presented with information on how to enable them on your site.

It is recommended to enable the security headers on all your web enabled servers for increased security. 

What is the impact of not having the Security Headers enabled?

Why is it even important to setting and sending specific security headers to a web browser?

There are several good arguments to enable the Security Headers.

To pass third part Penetration Testing

When deploying third party pen testers the security headers is often a part of becoming compliant.

Various compliance regulations such as GDPR, HIPAA, PCI-DSS are not forcing at the moment but recommends enable and using the security headers.

Quick process to implement the security headers

The security headers can often be easily enabled on most web servers by simple applying a few header lines such as:

header("Content-Security-Policy: block-all-mixed-content; script-src 'self' www.yoursitecom ");
header("X-Frame-Options: SAMEORIGIN");
header("X-Xss-Protection: 1; mode=block");
header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: no-referrer,strict-origin-when-cross-origin");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");

Increased measurable application security level

The Web Security Headers provides an extra layer of defense from attacks.

When implementing the web security headers correctly it can decrease the impact

of other existing vulnerabilities yet to be found on the target web server.

It can help prevent attackers from exploiting vulnerabilities or minimize the impact of exploitation of un patched vulnerabilities.

The security header are backward compatible so they can even work with older browsers that do not support the headers by not breaking any functionality.

It is highly recommended to enable the headers to be future compliant and boosting customer confidence by utilizing all available security measures.

How to easily test your site and find out if your Security Headers are enabled?

Get a free vulnerability scan here.

It will also come with instructions on how to enable the headers and provide other useful information on how to secure your web site.