HTTP Headers Checker — Security Header Test
The dnsverifier.com HTTP Headers Checker inspects every response header on any public URL, grades the security posture across six categories (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), analyzes cookies and cache directives, audits TLS, scans for mixed content, and generates copy-paste server-config fixes for nginx, Caddy, Apache, and Cloudflare Workers.
Frequently asked questions
- Which HTTP security headers should every site set?
- Strict-Transport-Security (HSTS) with max-age ≥ 180 days; Content-Security-Policy with at least default-src 'self'; X-Content-Type-Options: nosniff; Referrer-Policy: strict-origin-when-cross-origin; X-Frame-Options: DENY (or CSP frame-ancestors 'none'); Permissions-Policy disabling unused browser APIs.
- What is HSTS and how do I check it?
- HSTS (HTTP Strict Transport Security) tells browsers to use HTTPS for every future request to your domain, even if the user types http://. Run the checker — the HSTS panel shows max-age, includeSubDomains, preload, and whether you're preload-eligible (max-age ≥ 1 year + includeSubDomains + preload).
- How does dnsverifier.com grade Content Security Policy?
- It parses every directive, flags 'unsafe-inline' / 'unsafe-eval' on script-src as risky, checks for object-src 'none', base-uri 'self', and frame-ancestors. The CSP analyzer also lists every external host you allow so you can spot accidental overlinking.
- Can I export the fixes as a config file?
- Yes. Once findings are generated, the 'Fix snippets' panel produces ready-to-paste nginx server blocks, Caddy directives, Apache .htaccess rules, and a Cloudflare Workers script. Copy, paste, reload — the headers are live.
- Does it check cookies and mixed content?
- Yes. The cookie analyzer flags missing Secure / HttpOnly / SameSite attributes, oversized cookies, and third-party cookies. The mixed-content scanner walks the HTML for http:// resources loaded over https:// pages.