What security headers do
HTTP security headers are instructions your web server sends to browsers telling them how to behave safely. They're free to add, require no code changes to your application logic, and shut down whole classes of attack, yet a surprising number of sites ship without them. This free checker fetches your site and grades the headers that matter most.
Content-Security-Policy (CSP) is the strongest defense against cross-site scripting (XSS). It controls which scripts, styles, and resources a browser will load. A policy that uses unsafe-inline or unsafe-evalnegates most of that protection, so we flag those explicitly.
Strict-Transport-Security (HSTS) forces browsers to use HTTPS, preventing downgrade and cookie-hijacking attacks on public networks. X-Frame-Options (or CSP frame-ancestors) stops clickjacking by controlling who can embed your site in an iframe. X-Content-Type-Options: nosniff stops browsers from second-guessing content types, a common XSS vector. Referrer-Policy and Permissions-Policy limit what data and device APIs leak to third parties.
Missing or weak headers rarely cause an outage, so they go unnoticed until a penetration test, or an attacker, finds them. Adding them is one of the highest-leverage, lowest-cost improvements you can make to your external security posture.
This checker runs the same headers module used in the full NEL VEIL assessment, which grades 17 modules, TLS, email authentication, exposed ports, cloud misconfigurations, JavaScript supply chain, and more, into a single Veil Posture Score. If your headers need work, an identity-verified professional can harden them as part of a fixed-price External Hardening Sprint, with a re-scan to prove the fix.