HTTP security headers are directives sent by a web server in HTTP responses that instruct browsers on how to behave when handling the site's content. They provide an additional layer of security by mitigating attacks like cross-site scripting (XSS), clickjacking, MIME-type sniffing, and man-in-the-middle attacks. Common security headers include Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options.

HSTS (HTTP Strict-Transport-Security) forces browsers to only communicate with your website over HTTPS, never over insecure HTTP. It prevents SSL stripping attacks and cookie hijacking. A properly configured HSTS header should have a max-age of at least one year (31536000 seconds), include the includeSubDomains directive, and ideally use the preload directive to be included in browser HSTS preload lists.

Content-Security-Policy (CSP) is one of the most powerful security headers. It defines which resources (scripts, styles, images, fonts, etc.) the browser is allowed to load and execute. A strong CSP can prevent XSS attacks, data injection, and code execution vulnerabilities. A well-configured CSP avoids using 'unsafe-inline' and 'unsafe-eval', and instead uses nonces or hashes for inline scripts. It should also restrict default-src to 'self' or a specific set of trusted origins.

X-Frame-Options protects your website from clickjacking attacks by controlling whether your pages can be embedded in <iframe> elements on other sites. The recommended values are DENY (blocks all framing) or SAMEORIGIN (allows framing only from the same origin). While CSP's frame-ancestors directive is the modern replacement, X-Frame-Options remains important for compatibility with older browsers.

Our scoring system evaluates 10 critical security headers with weighted importance. CSP and HSTS carry the most weight (25 and 20 points respectively) as they provide the strongest protections. Headers like X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy each contribute 10 points. Additional headers like X-XSS-Protection, Cross-Origin policies, and Cache-Control add the remaining points. A score of 95+ earns an A+ grade, while below 40 is an F.

While security headers are not a direct ranking factor in Google's algorithm, they indirectly benefit SEO. HTTPS (enforced by HSTS) is a confirmed ranking signal. Secure websites build user trust, reduce bounce rates, and protect against attacks that could lead to blacklisting. Additionally, a properly configured CSP and X-Frame-Options prevent malicious content injection that could harm your site's reputation and search rankings. Google's page experience metrics also favor secure, well-configured sites.

Permissions-Policy (formerly Feature-Policy) allows you to control which browser features and APIs your site can use — such as camera, microphone, geolocation, accelerometer, and more. By restricting permissions to 'self' or a specific origin, you reduce the attack surface and prevent malicious third-party scripts from abusing these features. It's an important part of a defense-in-depth security strategy.

Security headers may be missing for several reasons: your web server (Apache, Nginx, IIS) may not have them configured; your CDN or reverse proxy (like Cloudflare or AWS CloudFront) might strip or modify headers; your application framework might not set them by default; or there could be a misconfiguration in your deployment pipeline. Use this tool to regularly audit your headers and ensure they are consistently applied across all pages.