Security Headers Checker
Enter any site URL to check whether key security headers such as HSTS, CSP, and X-Frame-Options are properly configured. See which headers are missing or weak, along with tips for fixing each one.
Tips
- This tool fetches the target URL server-side, so it can check any site's headers without hitting the browser's CORS restrictions.
- A longer HSTS max-age is generally safer, but if you're planning to change your certificate setup, test with a shorter value first before rolling it out to production.
- Combine this with the sibling CSP Validator (dev.server.csp_validator) tool to check the actual syntax of your Content-Security-Policy in detail.
- This tool reuses the same "enter a URL, fetch it server-side" mechanism as the robots.txt checker, so it can check any publicly accessible page without authentication.
- Check your own site periodically to make sure a CDN or reverse proxy configuration change hasn't silently dropped a security header.
Frequently Asked Questions
Side Note — securityheaders.com and the history of clickjacking defense
Diagnosing security settings via HTTP response headers has long been dominated by securityheaders.com, built by Scott Helme. Since many overseas services only explain results and remediation in English, Toolbase built its own checker so results and explanations can be reviewed together in Japanese as an alternative in this space.
HSTS (HTTP Strict Transport Security) was standardized by the IETF as RFC 6797 in 2012. The motivation traces back to a 2009 demonstration of "SSL Stripping," an attack that exploits the brief moment when a user types a URL without https:// and the browser connects over plain HTTP first, letting an attacker rewrite the traffic. HSTS lets a browser remember "this domain must always be accessed over HTTPS," preventing downgrade attacks after the first visit.
X-Frame-Options was originally a proprietary extension header introduced by Microsoft for Internet Explorer 8 in 2009, later adopted by other browsers and becoming a de facto standard. The concern at the time was "clickjacking," where an invisible iframe is layered over a genuine-looking button so a user clicks without realizing it. Today, the industry is moving toward the more flexible frame-ancestors directive in Content-Security-Policy, but specifying both is still recommended as a fallback for older browsers that don't support it.