HTTP security headers checker

Enter a URL to see its HTTP response headers and a quick grade on the security headers that matter.

How to use the http security headers checker

Enter a URL.
Press Check.
Review which security headers are present and which are missing.

The headers that matter

The high-value security headers are HSTS (forces HTTPS), Content-Security-Policy (limits what can load), X-Content-Type-Options, X-Frame-Options (anti-clickjacking), Referrer-Policy, and Permissions-Policy. They tell browsers how to defend your visitors against common attacks. Pair this with the SSL certificate checker.

Code & API examples

Use this from the command line or your code. The API is free, GET-only, and returns JSON.

API (curl)

curl "https://vpn.golf/api/tools/headers?url=example.com"

Shell

curl -sI https://example.com

See all endpoints at /api/tools/.

Frequently asked questions

HSTS (forces HTTPS), Content-Security-Policy (limits what loads), X-Content-Type-Options, X-Frame-Options (clickjacking), and Referrer-Policy are the high-value ones.

They tell browsers how to defend your visitors against common attacks like clickjacking, content injection, and protocol downgrade.

Related tools

SSL/TLS certificate checker DNS lookup tool Open port checker

Want to hide your IP for real?

vpn.golf is a no-logs WireGuard VPN. Pick a hole, take the shot.

Step up to the tee — free

HTTP security headers checker

How to use the http security headers checker

The headers that matter

Code & API examples

Frequently asked questions

Which security headers matter most?

Why are security headers important?