Website Security Headers: A Complete Guide (With Free Scanner)

2026-06-05 · PingSage Team · Back to blog

Website Security Headers: Complete Guide + Free Scanner

Security headers tell browsers how to protect your users. If they're missing, your site is vulnerable to clickjacking, XSS, MIME-type sniffing, and more.

The worst part? Most websites don't have them. And the ones that do often have them configured wrong.

The 5 Critical Security Headers

1. HSTS (HTTP Strict Transport Security)

Forces browsers to always use HTTPS.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Missing? Users can be downgraded to HTTP by attackers.

2. CSP (Content Security Policy)

Controls what resources can load on your page.

Content-Security-Policy: default-src 'self'

Weak? XSS attacks can inject malicious scripts.

3. X-Frame-Options (XFO)

Prevents clickjacking by blocking your site from being loaded in iframes.

X-Frame-Options: DENY

Missing? Attackers can overlay invisible buttons on your page.

4. X-Content-Type-Options

Stops MIME-type sniffing (where browsers guess file types).

X-Content-Type-Options: nosniff

Missing? Attackers can execute disguised file uploads.

5. Referrer-Policy (RP)

Controls what referrer info is sent with requests.

Referrer-Policy: strict-origin-when-cross-origin

Bad config? User privacy can leak through referrer headers.

Check Your Site For Free

PingSage's security header scanner checks all 5 headers and gives you:

✅ Letter grade (A–F) for overall security posture
✅ Pass/fail per header with ✅ or ❌ indicators
✅ Daily automatic scans with history (you can see trends)
✅ Re-check button to test after making changes

No signup needed to scan — just add your site to PingSage.

What a Good Grade Looks Like

| Grade | Meaning |

|-------|---------|

| A | All 5 headers present and well-configured |

| B | Most headers present, minor issues |

| C | Some headers missing |

| D | Most headers missing |

| F | No security headers at all |

Most sites start at D or F and can reach A or B with 30 minutes of work.

How PingSage Compares

| Feature | securityheaders.com | PingSage |

|---------|-------------------|----------|

| Price | Free | Free |

| Daily scans | ❌ | ✅ |

| History tracking | ❌ | ✅ |

| Uptime monitoring | ❌ | ✅ |

| SSL checks | ❌ | ✅ |

| Broken links | ❌ | ✅ |

| Alerts | ❌ | ✅ (Slack, Discord, email) |

securityheaders.com is a great one-time scanner. PingSage is a continuous monitor that tracks changes over time.

Fix Your Headers Today

1. Create a PingSage account (free, 30 seconds)

2. Add your site

3. Go to the Security tab

4. See your grade

5. Fix missing headers in your web server config

6. Click "Re-check" to verify

Your future self — and your users — will thank you.

---

PingSage does daily security header scans and alerts on degradation. 🍃

security headers HSTS CSP website security HTTPS headers free security scanner

Try PingSage — free unlimited website monitoring

Start Monitoring Free