How to Check a Website's Security Headers
By Nathan Cole, Security Researcher · Updated 2026-06-02Part of our guide to HTTP Security Headers Explained: The Complete Guide.
You can check any website's security headers in under a minute using one of three methods: a free online scanner, your browser's developer tools, or the curl command in a terminal. Each looks at the same thing, the HTTP response headers a server sends with a page, but they suit different moments. A scanner is fastest for a verdict. Dev tools are handy while you already have a page open. curl is best for scripting and quick checks from the command line.
If the header names below are unfamiliar, start with HTTP security headers explained, which walks through what each one defends against. This guide assumes you know roughly what you are looking for and focuses on the act of checking. Content-Security-Policy is the most involved of the bunch, so CSP explained covers that one on its own.
Method 1: The free online scanner
The quickest route is the DomainIntel security headers tool. Type a domain, run the scan, and it fetches the live response, lists every security header present, and grades the result from A+ down to F. Missing headers are flagged with the value you should be sending instead, so you get a punch list rather than just a score. This is the method to reach for when you want an answer without opening a terminal, and it works the same whether you are auditing your own site or a competitor's.
Because the scanner reads the server's real response, it reflects redirects, edge caching, and CDN rules exactly as a visitor's browser would see them. That matters: headers set in your application code can be stripped or overwritten by a proxy in front of it, and only a live fetch reveals the truth.
Method 2: Browser developer tools
Already looking at the page? Use the browser. Open developer tools (F12, or right-click and choose Inspect), switch to the Network tab, then reload the page. Click the first request, the one for the document itself, and find the Response Headers section. Everything the server sent is listed there, including the security headers.
This view is useful for spotting per-page differences. A site might send a strict Content-Security-Policy on its marketing pages and a looser one on an app dashboard, and the Network tab shows you each request individually. The MDN reference on HTTP headers is a good companion here when you want the exact syntax and accepted values for a header you see.
Method 3: curl
For terminal users, curl is the fastest check of all. The -I flag asks only for headers:
curl -I https://example.com
Some servers behave differently for a HEAD request than a normal GET. To see the headers a real page load returns, request the page but throw away the body:
curl -sD - -o /dev/null https://example.com
Here -s silences the progress meter, -D - dumps headers to standard output, and -o /dev/null discards the response body. Pipe the output through grep when you only care about one header:
curl -sD - -o /dev/null https://example.com | grep -i strict-transport-security
The checklist: what good looks like
Whichever method you use, compare what you find against this list. The values below are sensible defaults; tune them to your site. The OWASP Secure Headers project maintains the canonical guidance and is worth bookmarking.
| Header | A good value | What it does |
|---|---|---|
| Strict-Transport-Security | max-age=31536000; includeSubDomains | Forces HTTPS for a year, blocking downgrade attacks |
| Content-Security-Policy | default-src 'self' (then tighten) | Limits where scripts, styles, and frames may load from |
| X-Content-Type-Options | nosniff | Stops the browser guessing MIME types |
| X-Frame-Options | DENY (or use CSP frame-ancestors) | Prevents clickjacking via framing |
| Referrer-Policy | strict-origin-when-cross-origin | Trims referrer data sent to other sites |
| Permissions-Policy | camera=(), microphone=(), geolocation=() | Disables powerful features you do not use |
A few practical notes. Seeing X-Frame-Options and a CSP frame-ancestors directive together is fine; modern browsers prefer the CSP one. Strict-Transport-Security is ignored over plain HTTP, so always test the HTTPS URL. And an absent header is not always a bug, but for the six above, absence usually means an easy win.
Want the verdict without copying values into a checklist by hand? Scan any site's headers free at domainintel.app and get a graded report with fix suggestions for everything that is missing.
Frequently asked questions
How do I check a website's security headers?
Three reliable ways: paste the URL into a free online scanner that grades the response, open your browser's developer tools and read the Response Headers on the Network tab, or run a terminal command like curl -I against the site.
What curl command shows response headers?
Run curl -I https://example.com for a quick header dump, or curl -sD - -o /dev/null https://example.com to print headers while discarding the page body.
What security headers should every site have?
At minimum: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, frame protection via X-Frame-Options or CSP frame-ancestors, Referrer-Policy, and Permissions-Policy.