Security Headers Analyzer

Security headers are instructions a web server sends with every response that tell browsers how to behave defensively: Content-Security-Policy restricts where scripts can load from, Strict-Transport-Security forces HTTPS, X-Frame-Options blocks clickjacking, and so on. They are one of the cheapest, highest-impact hardening steps a site can take.

The grade counts how many of the six core headers are present (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy). All six earn an A; an A+ additionally requires at least one cross-origin isolation header (COOP/CORP/COEP) and no weakening flags like unsafe-inline in your CSP.

Not directly — Google does not rank by security headers. However, HSTS protects the HTTPS experience Google does measure, and a hardened site is less likely to get hacked and blacklisted, which absolutely destroys rankings. Treat headers as insurance for your SEO investment.

Every missing header in your report includes a ready-to-paste nginx fix snippet. On Apache, use Header always set directives in .htaccess; on WordPress with nginx, add the snippets to your server block and reload. Start with X-Content-Type-Options and HSTS (lowest risk), test CSP in report-only mode first.

Headers like Server: nginx/1.24.0 or X-Powered-By: PHP/8.3 reveal exact software versions, which lets attackers look up version-specific exploits. The report flags them so you can strip or genericize them.