Secure Headers Test
Check whether a site returns important browser security response headers.
Powered by Geekflare Website Load Time API
What Is a Secure Headers Test?
Geekflare Secure Header Test tool helps you analyze your website's HTTP security headers against OWASP (Open Web Application Security Project) recommendations. These headers can reduce exposure to clickjacking, MIME sniffing, referrer leakage, insecure transport, and risky cross-origin access.
HTTP security headers are instructions sent from a web server to a browser, dictating how the browser should behave when handling your website's content.
Why OWASP Recommendation Secure Headers Matter?
OWASP is a globally recognized foundation dedicated to improving website security. Their recommendations OWASP Secure Headers Project represent industry best practices for web application security. By adhering to OWASP guidelines for HTTP security headers, you demonstrate a commitment to protecting your users and maintaining a secure online environment.
Core Protections
| Header | Why It Matters |
|---|---|
| Strict-Transport-Security | Tells browsers to keep using HTTPS for future visits. |
| X-Frame-Options | Helps prevent clickjacking. If missing, CSP frame-ancestors can cover the same protection. |
| X-Content-Type-Options | Prevents MIME type sniffing when set to nosniff. |
| Content-Security-Policy | Restricts which scripts, styles, frames, and other resources may load. |
| Referrer-Policy | Controls how much referrer information is sent to other sites. |
Contextual Headers
These headers are useful, but they are not universally required for every website.
| Header | Why It Matters |
|---|---|
| Cross-Origin-Opener-Policy | Helps isolate browsing contexts from other origins. |
| Cross-Origin-Embedder-Policy | Controls loading of cross-origin resources. |
| Cross-Origin-Resource-Policy | Controls which origins may include the resource. |
| X-Permitted-Cross-Domain-Policies | Limits legacy Adobe cross-domain policy behavior. |
| Clear-Site-Data | Allows clearing browser storage during sensitive flows such as logout. |
| Cache-Control | Controls browser and intermediary caching behavior. |
How to Read the Results
The summary separates core protections from contextual headers. Missing core protections deserve attention first. Missing contextual headers may be acceptable depending on the application, page type, and deployment model.
The alerts and advisories section highlights header values that may need review:
- HSTS
max-agebelow 30 days. - HSTS without
preload, shown as an advisory because preload is optional. - X-Frame-Options using deprecated
ALLOW-FROM. - Missing framing protection when neither X-Frame-Options nor CSP
frame-ancestorsexists. - X-Content-Type-Options set to a value other than
nosniff. - CSP containing
unsafe-inline.
Use these results as a starting point, then tune policies for your application. Content-Security-Policy and cross-origin policies can break legitimate assets if they are copied blindly, so deploy them carefully and test affected pages.
How to Implement Secure Headers?
Secure headers implementation depends on the web servers or edge technologies you are using.
- To implement in Apache and Nginx, refer to Geekflare security guide.
- Use Cloudflare Transform Rules to implement through Cloudflare.
- SUCURI WAF givens you an option to enable additional headers with one click.
Frequently Asked Questions
Secure headers are HTTP response headers that tell browsers how to handle risky behavior such as framing, MIME sniffing, mixed content, referrer leakage, and cross-origin isolation.
Not really. The tool separates core protections from contextual headers. Missing HSTS, CSP, X-Content-Type-Options, Referrer-Policy, or framing protection is usually worth reviewing first.
The tool highlights short HSTS max-age values, optional HSTS preload advisories, missing framing protection, deprecated X-Frame-Options ALLOW-FROM usage, non-nosniff X-Content-Type-Options values, and CSP values containing unsafe-inline.