Tool guide

Security Header Test

A security header test helps you verify the rules your site sends to browsers after redirects, CDN rules, and hosting settings are applied.

01

What The Test Looks For

The most useful test checks the final response for CSP, HSTS, framing protection, nosniff, referrer policy, and permissions policy.

It should also show raw headers so you can compare what the server returned with what your app or CDN config says.

02

Reading Missing Results

A missing header is a signal to review, not always an emergency. A brochure page and a logged-in dashboard do not carry the same risk.

Start with the headers that are unlikely to break the site, then plan CSP and HSTS changes more carefully.

03

Common False Starts

Many teams test localhost, then discover production headers are different because a CDN or host rewrites them.

Another common issue is testing the wrong hostname. HTTP, HTTPS, www, non-www, and locale redirects can land on different final responses.

Next
Run the security header test

Scan the final response and get fix suggestions.

Headers not working?

Troubleshoot production header differences.

Fix security headers

Follow a safer rollout order.

FAQ

Common questions

What is a security header test?

It checks the HTTP response headers that tell browsers how to handle loading, embedding, MIME sniffing, referrers, HTTPS, and features.

Can I test a specific path?

Focused tools can accept a URL. The legacy scan result route is domain-oriented, so use the dedicated checker when path-specific behavior matters.

Why does my test differ from another tool?

Tools may follow redirects differently, use HEAD instead of GET, or report the first response instead of the final browser-facing response.

How often should I run the test?

Run it after deployments, CDN changes, hosting changes, and whenever you update security middleware.