You have read about security headers and know you should configure them, but how do you check what your site is actually sending right now? This guide gives you a fast, repeatable process to audit every security header on any site using free tools, the command line, and browser DevTools.
This is the practical companion to our complete security headers guide. If you want to understand what each header does, start there. If you want to check your site right now, keep reading.
The fastest way to get a comprehensive view of your security headers is to use our free security headers audit tool. Enter your URL and within seconds you will see:
This gives you an immediate action list to work from.
For a raw view of exactly what headers the server returns, use curl:
curl -sI https://example.comThe -s flag suppresses progress output, and -I fetches only headers. To filter for security-relevant headers:
curl -sI https://example.com | grep -iE '(strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy|set-cookie)'Pay attention to capitalization and exact values. A header that is present but misconfigured is sometimes worse than no header at all (for example, a CSP with 'unsafe-inline' 'unsafe-eval' in script-src gives a false sense of security).
CDNs, reverse proxies, and load balancers can modify headers between your origin server and the user. Always verify from the browser's perspective:
Compare what you see here with what curl shows directly from your origin. If they differ, your CDN or proxy is stripping or overwriting headers.
Go through each of these headers and confirm it is present with the correct value:
| Header | Expected Value | Tool |
|---|---|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload | Test HSTS |
| Content-Security-Policy | Restrictive policy without 'unsafe-inline' | Test CSP |
| X-Frame-Options | DENY or SAMEORIGIN | Test X-Frame-Options |
| X-Content-Type-Options | nosniff | Test MIME Sniffing |
| X-XSS-Protection | 0 | Test XSS Protection |
| Referrer-Policy | strict-origin-when-cross-origin | Full audit |
| Permissions-Policy | Disable unused features | Full audit |
For details on any of these, see the individual articles: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, XSS Protection.
While you are in DevTools, go to the Application tab (Chrome) or Storage tab (Firefox) and inspect your cookies. For each session or authentication cookie, verify:
Lax or Strict.Read more about cookie security in our dedicated article: Cookie Security: Secure, HttpOnly, SameSite Explained. You can also use our cookie security test for an automated check.
Manual audits are good for one-time checks, but headers can regress when configurations change. Add an automated check to your CI/CD pipeline:
#!/bin/bash
URL="https://staging.example.com"
HEADERS=$(curl -sI "$URL")
check_header() {
if echo "$HEADERS" | grep -qi "$1"; then
echo "PASS: $1"
else
echo "FAIL: $1 missing"
exit 1
fi
}
check_header "Strict-Transport-Security"
check_header "Content-Security-Policy"
check_header "X-Frame-Options"
check_header "X-Content-Type-Options"
check_header "Referrer-Policy"
echo "All security headers present."Run this script as a post-deployment check. If any header is missing, the script exits with a failure code, which can block the deployment or trigger an alert.
That is the complete audit workflow. Start with the automated scan, verify with curl and DevTools, and automate ongoing checks. For the full explanation of every header, see our security headers guide.