Tell Me When Down
How it worksWhat we checkPricing
Log inGet started
free tool · no login

Security headers check

Test which security headers your site sends — HSTS, Content-Security-Policy, clickjacking protection, nosniff, CORS, version leaks — with a pass/fail per header and what each one means, in plain English.

The cheapest security wins a website has

Security headers are one-line instructions to the browser, and each closes a real attack class: HSTS ends protocol-downgrade attacks, a CSP makes injected scripts simply not run, frame protection kills clickjacking. They take minutes to add and cost nothing at runtime — which is why missing them reads as a signal. It's the first thing anyone probing your site checks, precisely because it's the first thing shipped-in-a-weekend apps skip.

Headers are one layer. The free report checks the rest.

Run the full scan free — TLS, cookies, DNS, exposed subdomains, email spoofing protection and more, graded A to F, with a copy-paste fix for every finding.

Scan my site freeno signup · results in ~30 seconds

Security headers, answered

What are security headers?
Security headers are instructions your server sends with every response that tell browsers how to protect your users: force HTTPS (Strict-Transport-Security), control which scripts may run (Content-Security-Policy), refuse to be iframed (X-Frame-Options), don't guess file types (X-Content-Type-Options). They cost nothing at runtime and each one closes a real attack class — they're the cheapest security wins a website has.
Which security headers do I actually need?
For most sites, four matter most: Strict-Transport-Security (once you're on HTTPS), Content-Security-Policy (the big one — it's your XSS defense), X-Frame-Options or frame-ancestors (stops clickjacking), and X-Content-Type-Options: nosniff. Referrer-Policy and Permissions-Policy are worthwhile refinements after those four are in place.
What is HSTS and do I need it?
Strict-Transport-Security tells browsers to never load your site over plain HTTP again — even if the user types http:// or clicks an old link. Without it, the very first request can be intercepted on hostile networks (airport Wi-Fi is the classic example) before your HTTPS redirect ever runs. If your site is HTTPS-only, HSTS is a one-line header with no downside.
What is a Content-Security-Policy?
A CSP is an allowlist of where your page may load scripts, styles, images, and frames from. Its real job is stopping cross-site scripting: if an attacker manages to inject a <script> tag through a form field or a compromised dependency, a good CSP means the browser simply refuses to run it. It's the single most effective security header — and the one most sites are missing.
How do I add security headers in Next.js?
In next.config.js, export an async headers() function returning your rules: [{ source: '/:path*', headers: [{ key: 'X-Content-Type-Options', value: 'nosniff' }, …] }]. Every header this tool checks can be set that way. Also set poweredByHeader: false in the same file to stop advertising that you run Next.js. On Vercel this deploys with no extra configuration.
Do security headers affect SEO?
Not directly — Google doesn't rank you on your CSP. Indirectly, yes: headers are part of the HTTPS story, and HTTPS is a ranking signal; and a site that gets compromised through a missing header loses rankings very directly when Google flags it as hacked. Treat headers as insurance for the rankings you already have.

one request to your site · we read response headers, the same thing every browser does · nothing stored

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

status:all systems watched
product
How it worksWhat we checkPricingDocsFAQ
free tools
Website security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
company
About our botSupportLog inPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.comiad · ams · sin