How do I get my response headers?

Run curl -I https://yoursite.com (capital i) and copy the output, or open your browser dev tools, go to the Network tab, click the document request, and copy the Response Headers. Paste either here. The checker reads header names and values; it does not need the page body.

Which security headers actually matter?

The high-value ones are Strict-Transport-Security (forces HTTPS and blocks downgrade attacks), Content-Security-Policy (limits what scripts and resources can load, the main defense against XSS), X-Content-Type-Options: nosniff (stops MIME-type confusion), X-Frame-Options or CSP frame-ancestors (blocks clickjacking), and Referrer-Policy (controls how much URL data leaks to other sites). Missing HSTS and CSP are the two that matter most.

Is it safe to paste my headers?

Yes. The checker runs entirely in your browser - nothing you paste is uploaded or logged. Response headers are not secret, but even so they never leave your machine here.

Free tool · Runs in your browser · Nothing uploaded

Grade your security headers.

Run curl -I https://yoursite.com (or copy Response Headers from dev tools) and paste them below. You get a grade, what's present, weak, or missing — and the exact headers to add.

100% client-side

The cheapest security you're not shipping

Security headers are close to free — a few lines in your reverse proxy — and they shut down whole classes of attack: protocol downgrades, clickjacking, MIME confusion, and a big slice of XSS. On a managed platform some of these came set by default. On a box you own, they're yours to add, and they're the first thing a security review checks. This grades what you've got and hands you the rest.

The hard part isn't setting them once; it's keeping them set across every service and deploy, and noticing when a config change quietly drops one. That drift — security that was there last month and isn't now — is exactly what a control plane is built to catch and prove.

Related free tools

UFW firewall generatorLock down your server SSH hardening generatorLock down sshd_config Secrets scannerFind leaked secrets

All free tools →

Set them once. Keep them set, provably.

Infraveil manages your edge config and watches for drift across every host you own — so the headers you set stay set, and you have a tamper-evident record proving it. Generate the headers with our reverse-proxy tool, then keep them honest.

See how it works

Get the edge-hardening playbook

Headers, TLS, and proxy hardening for a backend you run yourself. No spam.

Grade your security headers.

Header by header

The cheapest security you're not shipping

Set them once. Keep them set, provably.

Get the edge-hardening playbook