Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Paste any URL you're authorized to test. Scorifya fetches the response and shows your HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy coverage.
Free tool
Browser security headers are the cheapest hardening any site can ship — but each one (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) has its own pitfalls. A header checker tells you which are present, which are weak, and what the fix looks like, without you having to curl -I and read the response by hand.
Paste any URL you're allowed to test. Scorifya fetches the response, lists every security-relevant header it found (or didn't), and explains the missing or weak ones with copy-paste fixes for nginx, Apache, Cloudflare, Vercel, and more. The headers category sits inside the broader 0–100 hardening score so you see the full picture, not just one slice.
This page is written for people searching for security headers checker—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — site missing the security-header baseline
TLS works and the site is reachable, but most browser headers are absent. Each one is a one-line fix at the proxy or CDN.
Strict-Transport-Security missing
Browsers may still allow accidental HTTP before policy is cached — especially first visits.
Content-Security-Policy absent
No CSP means browsers rely on defaults; XSS blast radius stays higher than it needs to be.
X-Frame-Options not set
Without anti-framing, your pages can be loaded in attacker-controlled iframes (clickjacking).
Referrer-Policy missing
Tokens or private routes in URLs can leak via Referer to third parties.
Example B — most headers present, CSP needs tightening
All baseline headers ship. CSP exists but contains 'unsafe-inline'; tightening would push the score into the 90s.
Weak CSP — unsafe-inline allowed
Move inline scripts to nonces (or external files) so you can drop unsafe-inline. See /learn/content-security-policy.
Permissions-Policy missing
A short header denying camera/microphone/geolocation tightens the browser-feature contract.
Add the security-header baseline at one layer
Set HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy in one place — your CDN, your reverse proxy, or your app framework. See /guides/cloudflare-security-headers, /guides/nginx-csp, and friends.
Roll out CSP in report-only mode first
Ship Content-Security-Policy-Report-Only with a logging endpoint. After a release cycle, enforce. This prevents the homepage-broken outcome that makes teams skip CSP entirely.
Remove unsafe-inline from existing CSPs
If your CSP includes 'unsafe-inline' for script-src, switch to a nonce-based pattern. It's the single biggest weakness in most production CSPs.
Plan HSTS preload only after stability
Once HSTS has been live with a 1-year max-age and includeSubDomains for at least a quarter, consider submitting at hstspreload.org.
Re-scan after every header change
Headers are deploy-driven — they update on the very next response. Re-scan immediately after deploy to confirm the score moved.
For weights and penalties behind each category, see How Scorifya works.
HSTS (Strict-Transport-Security), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, and the Server / X-Powered-By exposure headers. The full list is documented at /methodology.
Yes. The header checker (and the full Scorifya scan) is free for any URL you're authorized to test. Pro adds higher rate limits, scheduled re-scans, watch lists, and exports.
Scorifya scores headers as one category inside a broader 0–100 hardening score that also covers TLS, exposure, cookies, and DNS. If you only want headers, this page focuses on that slice; the full scan is one click further.
Yes. Scorifya follows the redirect chain from the URL you paste and scores the final response, while also flagging any HTTP hops along the way.
No. Scorifya only fetches public, unauthenticated URLs. Headers on authenticated routes can be different (especially Set-Cookie attributes); test those routes during your own staging passes.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.