Security Headers Checker

Check a site's HTTP security headers and spot what's missing.

Demo tool — results are sample data, not a live lookup.

About the Security Headers Checker

HTTP security headers tell the browser how to protect your visitors — forcing HTTPS, blocking your pages from being framed, limiting what scripts can run, and controlling what data leaks in referrers. Missing headers are a common, easily-fixed weakness on WordPress sites.

This tool inspects the response headers for a URL and flags which protections are present and which are missing, so you can harden the site with a few server or plugin settings.

How to use it

  1. 1Enter the page URL you want to inspect.
  2. 2Run the check to see which security headers are set and which are absent.
  3. 3Add the missing headers via your server config, a security plugin, or your CDN.

What it checks

Strict-Transport-Security
Forces browsers to use HTTPS, preventing downgrade attacks (HSTS).
Content-Security-Policy
Restricts which scripts, styles, and sources can load — strong XSS defense.
X-Frame-Options
Stops other sites from embedding yours in a frame (clickjacking).
X-Content-Type-Options
Prevents the browser from MIME-sniffing responses into the wrong type.

Frequently asked questions

Which headers matter most?

Start with Strict-Transport-Security, X-Content-Type-Options, and X-Frame-Options — they're low-risk and high-value. Content-Security-Policy is the most powerful but needs care to avoid breaking assets.

Will adding headers break my site?

HSTS and X-Content-Type-Options are safe to add. A strict CSP can block legitimate scripts, so roll it out in report-only mode first.

Can I set these on WordPress?

Yes — via your web server config, a security plugin, or your CDN's rules (for example Cloudflare Transform Rules).

Run WordPress on infrastructure built for it.

Performance, security, and the WordPress tooling you need — fully managed, so these checks stay green.