Security Headers Checker

Paste a URL to analyze its HTTP security headers. The tool checks for Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and other headers that protect against common web attacks. You'll get a grade and a list of missing protections.

Url Required

Get an API key to automate this

Result

Code snippets

What this tool checks

Checks Content-Security-Policy (CSP)
Strict-Transport-Security (HSTS) validation
X-Frame-Options and clickjacking protection
X-Content-Type-Options (MIME sniffing)
Referrer-Policy and Permissions-Policy
Overall security grade (A through F)

Automate this with the API

Run this tool programmatically from your code. Get a free temporary API key with 20 requests/day — or register for 75 requests/day.

                    curl https://apixies.io/api/v1/inspect-headers?url=... \
  -H "X-API-Key: YOUR_API_KEY"
                

Get Temporary API Key View API Documentation →

Frequently asked questions

What security headers should every website have?

At minimum: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy. These protect against XSS, clickjacking, MIME sniffing, and information leakage.

What does the security grade mean?

The grade reflects how many recommended security headers are present and correctly configured. An A means all critical headers are set. Lower grades indicate missing protections.

Related tools

Free SSL Certificate Checker

Enter a domain to inspect its SSL/TLS certificate. You'll see the issuer, validity dates, days until expiry, protocol version, and whether the certificate chain is healthy. Useful for catching expiring certificates before they cause browser warnings.

Free Email Validator

Enter an email address to validate it. The tool checks format syntax, resolves MX records to verify the domain accepts mail, detects disposable email services (like Mailinator), and flags role-based addresses (like info@ or admin@). Useful for cleaning mailing lists or validating form submissions.

Email Authentication Checker (SPF, DKIM, DMARC)

Enter a domain to check its email authentication configuration. The tool validates SPF records (who can send on your behalf), DKIM records (email signatures), and DMARC policies (what to do with unauthenticated mail). Misconfigured authentication is the top reason emails land in spam.

User Agent Parser

Paste a user agent string to identify the browser, operating system, device type, and whether it's a known bot. Useful for analytics debugging, content negotiation logic, or verifying that your bot detection is working correctly.

View all 48 tools →