Security Headers Audit
Find transport and DNS security gaps before attackers do. We test the headers and records that protect your users from downgrade attacks, clickjacking, and certificate fraud.
What We Test
- › HSTS (Strict-Transport-Security) — max-age validation (31536000s minimum), includeSubDomains, preload directive checks
- › Content-Security-Policy parsing — script-src, style-src, default-src, base-uri, form-action, frame-ancestors directive analysis
- › CSP source detection — header vs meta tag CSP, frame-ancestors enforcement validation
- › X-Frame-Options & X-Content-Type-Options — DENY/SAMEORIGIN clickjacking checks, nosniff validation
- › HTTP-to-HTTPS redirect posture — verify insecure HTTP requests are redirected to the same host over HTTPS
- › Cookie security flags — Secure, HttpOnly, and SameSite hardening on response cookies
- › COOP/CORP/COEP — Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy
- › DNSSEC validation via DoH — DNS-over-HTTPS queries to Google/Cloudflare, AD flag and DS record checks
- › CAA record lookup — Certificate Authority Authorization (issue, issuewild, iodef tags), inheritance from parent domains
- › Mixed content scanning — HTTP resource detection in HTTPS pages (img, script, link tags), upgrade-insecure-requests check
- › HTTP/3 detection — alt-svc header parsing for h3 protocol advertisement
- › Scored evaluation — weighted scoring (core headers: 60, CSP hardening: 15, DNS security: 10, transport posture: 10, mixed content: 5)
Why Security Headers Prevent Attacks
Missing security headers are invisible to users but trivial for attackers to exploit. A site without HSTS can be downgraded to HTTP via SSL stripping attacks. Missing X-Frame-Options enables clickjacking, and no X-Content-Type-Options allows MIME sniffing attacks. We parse HTTP response headers, inspect CSP strictness, validate DNSSEC via DNS-over-HTTPS queries, scan CAA records, detect mixed content, check HTTP-to-HTTPS redirect posture, and review cookie hardening flags. The score keeps transport and browser controls explicit with a 60/15/10/10/5 weighting model.
Framework-Specific Security Header Config
When we detect missing security headers, we generate framework-specific configuration. For Next.js, we provide next.config.js async headers() with all recommended headers. For SvelteKit, we show src/hooks.server.ts Handle implementation with response.headers.set() calls. For Nuxt, we provide server/middleware/security-headers.ts with setResponseHeader() for each header. For Astro, we show src/middleware.ts with response header injection. For WordPress, we provide .htaccess mod_headers config. For Nginx/Apache/Cloudflare, we include multiple deployment target examples. Every fix includes exact header values (HSTS max-age=31536000, CSP with strict nonce-based script-src, X-Frame-Options: DENY), DNS recommendations (enable DNSSEC at registrar, add CAA records), and scoring context so you understand impact.
How We Grade
All critical headers present with recommended values
Headers present but with weak or incomplete configuration
Critical security headers missing entirely
Free audit gives check scores and grade. Unlock full details, fixes, and deep AI analysis for $9 per report.
Check Your Site Now →Explore Other Checks
Mobile viewport rendering and touch target validation
OG tags and social card validation across platforms
AI crawler access, llms.txt conventions, and cloaking checks
Console error detection with severity classification
PageSpeed/Lighthouse lab metrics with separate CrUX data when available