Masada Hardening Security HeadersCheck Your Website's Security Headers
Enter your domain below to see which security headers are missing and what attacks you might be vulnerable to.
Not sure what security headers are?
Watch the Attack Demos First →Frequently Asked Questions
What are security headers?
Security headers are HTTP response headers that instruct browsers how to handle your site's content. They prevent attacks like clickjacking, cross-site scripting, and data theft by restricting what browsers allow when loading your pages.
How do I add security headers to my website?
Security headers are added through your web server configuration (Apache, Nginx, or IIS), your application code, or a CDN like Cloudflare. Each header is a single line in your server config.
What is a good security headers grade?
An A or A+ grade means most critical headers are present. Many websites score D or F because security headers are often overlooked during development. Even adding 2-3 key headers can dramatically improve your score.
Are missing security headers dangerous?
Missing headers don't guarantee you'll be hacked, but they remove important layers of defense. Real breaches like the British Airways Magecart attack (380,000 cards stolen) exploited weaknesses that proper headers would have mitigated.
How often should I check my security headers?
Check after every server configuration change, CMS update, or CDN modification. Headers can be accidentally removed during updates. A monthly check is good practice.
Does this scanner store my data?
The scanner only reads your site's HTTP response headers. Your site content is not stored, your server is not accessed, and scan results are not shared with third parties.