Part of the Security audit
Check your security headers in seconds
Missing security headers leave your site open to clickjacking, XSS, and other attacks. SiteCurl checks 10 headers and tells you what to add.
No signup required. Results in under 60 seconds.
What this check does
SiteCurl checks 10 HTTP security headers that protect your visitors: Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin Opener Policy (COOP), HTTPS enforcement, HSTS, SSL certificate validity, and mixed content detection.
Each header tells browsers how to handle your site. Missing headers mean the browser falls back to weaker defaults, giving attackers more room to act. The check reports which headers are present and which are missing.
Why it matters
Security headers are your first line of defense against common web attacks. A missing Content Security Policy lets attackers inject scripts. Missing X-Frame-Options lets them embed your site in a fake page. These are not theoretical risks: they are the attacks most commonly used against websites.
Adding security headers is one of the fastest security improvements you can make. Most headers are a single line of server setup. You do not need to change your code. And once set, they protect every page on your site.
How to fix it
Most security headers can be added through your web server, CDN, or hosting platform. If you use Cloudflare, many headers can be set with a toggle. If you use Nginx or Apache, add them to your server setup.
Start with the highest-impact headers: Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. Then add Referrer-Policy and Permissions-Policy. Each finding in SiteCurl includes the header name and a recommended value.
Test after each change. Some headers, especially CSP, can break functionality if set too strictly. Start with a report-only policy and tighten it once you confirm nothing breaks.
Example findings from a scan
No Content Security Policy header found
X-Frame-Options header missing
Permissions-Policy header not set
Related checks
Frequently asked questions
What are the most important security headers?
Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options are the three highest-impact headers. They block script injection, clickjacking, and MIME-type attacks.
Can security headers break my site?
A strict Content-Security-Policy can block legitimate scripts. Start with a report-only mode, check what gets blocked, and adjust before enforcing. Other headers rarely cause issues.
How do I add security headers?
Through your web server setup, CDN settings, or hosting platform. SiteCurl tells you which headers to add. Your hosting docs will show you where to put them.
Do security headers affect SEO?
Not directly. But HTTPS (which relies on SSL) is a ranking factor, and security issues can hurt user trust, which affects bounce rates and engagement signals.
Can I check security headers without signing up?
Yes. The free audit checks all 10 security headers as part of a full seven-category scan. No signup required.
Check your security headers now