Skip to content
>_ITDITDWeb Security Platform

Security Headers Check

Enter your site's URL to grade its HTTP security headers (CSP, HSTS, X-Frame-Options, …), with fixes for what's missing and a copy-paste hardened set.

ITD's server fetches the target URL once and evaluates only the response headers (the body isn't stored). Access to internal / private addresses is blocked.
Try an example (check ITD itself)
B
Overall grade
86 / 100
https://itdef.net/ja
  • Content-Security-PolicyWeak
    Current value: default-src 'self'; img-src 'self' data: blob: https://www.googletagmanager.com https://www.google-analytics.com https://*.google-analytics.com https://*.analyt…
    Key layer that cuts XSS impact. Avoid unsafe-inline. default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'
  • Strict-Transport-Security (HSTS)OK
    Current value: max-age=63072000; includeSubDomains; preload
  • X-Frame-OptionsOK
    Current value: DENY
  • X-Content-Type-OptionsOK
    Current value: nosniff
  • Referrer-PolicyOK
    Current value: strict-origin-when-cross-origin
  • Permissions-PolicyOK
    Current value: camera=(), microphone=(), geolocation=(), browsing-topics=()
  • Cross-Origin-Opener-PolicyOK
    Current value: same-origin-allow-popups
  • Info disclosure (Server / X-Powered-By)OK

AI remediation prompt (copy-paste)

Paste into Claude / ChatGPT to get concrete fixes for your stack.

You are a web security expert. My site (https://itdef.net/ja) is missing some HTTP security headers. For defensive purposes only, tell me how to set the following safely on my server/framework (nginx / Caddy / Apache / Next.js, etc.) with concrete code examples. If you don't know which server I use, ask. Also tell me how to verify the headers are applied correctly afterward.

- Content-Security-Policy(weak)→ default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'

Note: keep existing behavior working (analytics, ads) — make the config backward-compatible. No attack techniques or bypasses needed.

Recommended headers (copy-paste starting point)

Start by returning these from your server (nginx / Caddy / app).

Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()

How to use

  1. 1Enter the URL of a site you control.
  2. 2The major security headers are graded for presence and strength.
  3. 3Harden the “missing” / “weak” items using the shown fix and recommended set.

Why it matters

Security headers are a cheap, effective layer of defense. CSP limits XSS impact, HSTS pins traffic to HTTPS, X-Frame-Options blocks clickjacking — each is a few lines of server config. Start strict and loosen only as needed.

FAQ

QIs it OK to check someone else's site?
A

The tool fetches the URL once and reads response headers — no active scanning or attack (same scope as opening it in a browser). It's intended for checking your own site.

QIs anything less than an A dangerous?
A

No. Some headers don't apply to every site. The important ones are CSP, HSTS, X-Frame-Options and X-Content-Type-Options; with those in place you're in good shape.

Related