Security Headers Analysis
Analyze your website's HTTP security headers and get actionable recommendations to improve your security posture. MerySpeak checks for essential headers and provides a security grade to help you protect against common web attacks.
What are Security Headers?
HTTP security headers are special response headers sent by your web server that instruct browsers how to behave when handling your website's content. They provide an additional layer of security by enabling browser-side protections against common web vulnerabilities.
Without proper security headers, your website may be vulnerable to:
- Clickjacking attacks: Your site embedded in malicious iframes
- Cross-site scripting (XSS): Malicious scripts injected into pages
- Man-in-the-middle attacks: Connections downgraded from HTTPS to HTTP
- MIME-type confusion: Browsers misinterpreting file types
- Information leakage: Referrer data sent to third parties
MerySpeak analyzes your website's security headers, calculates a security score, and provides recommendations for improvement.
Headers We Check
MerySpeak analyzes these seven essential security headers:
1. Strict-Transport-Security (HSTS)
Forces browsers to only use HTTPS connections. Prevents SSL stripping attacks and ensures encrypted communication. Example: max-age=31536000; includeSubDomains
2. Content-Security-Policy (CSP)
Controls which resources can be loaded on your page. Prevents XSS attacks by whitelisting trusted content sources. Example: default-src 'self'; script-src 'self'
3. X-Frame-Options
Prevents clickjacking by controlling if your site can be embedded in frames. Values: DENY, SAMEORIGIN, or ALLOW-FROM uri
4. X-Content-Type-Options
Prevents MIME-type sniffing attacks by forcing browsers to respect declared content types. Should be set to: nosniff
5. X-XSS-Protection
Enables browser's built-in XSS filter (legacy, but still useful). Recommended value: 1; mode=block
6. Referrer-Policy
Controls how much referrer information is sent when navigating away from your site. Recommended: strict-origin-when-cross-origin
7. Permissions-Policy
Controls which browser features (camera, microphone, geolocation) can be used. Example: geolocation=(), camera=(), microphone=()
Security Grades
MerySpeak calculates a security score based on which headers are present:
| Grade | Score | Meaning |
|---|---|---|
| A | 90-100% | Excellent - Most security headers implemented |
| B | 80-89% | Good - Key headers present, minor improvements possible |
| C | 70-79% | Acceptable - Some headers missing, should improve |
| D | 60-69% | Poor - Many headers missing, significant gaps |
| F | Below 60% | Critical - Minimal security headers, urgent action needed |
Use Cases
Before security audits or penetration tests, use header analysis to identify and fix obvious gaps. Proper security headers demonstrate security awareness to auditors and compliance teams.
Many compliance frameworks (PCI-DSS, SOC 2, HIPAA) require reasonable security measures. Proper security headers are an expected baseline that auditors check during assessments.
Development teams can use header analysis in their CI/CD pipeline to ensure new deployments don't accidentally remove security headers. Catch configuration issues before they reach production.
Agencies can quickly assess client website security posture. Provide recommendations with clear grades that non-technical stakeholders can understand.
Implementing Security Headers
Security headers are typically configured at the web server level. Here's how to add them in common environments:
Apache (.htaccess)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Check Your Security Headers
Get a security grade for your website and actionable recommendations to improve your security posture.
Analyze Your Site FreeFrequently Asked Questions
What are HTTP security headers?
HTTP security headers are instructions sent by your web server that tell browsers how to behave when handling your site's content. They protect against attacks like cross-site scripting (XSS), clickjacking, and man-in-the-middle attacks. Common security headers include Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options.
Why are security headers important?
Security headers add an extra layer of protection against common web attacks. They prevent clickjacking by controlling frame embedding, stop XSS attacks with Content Security Policy, force HTTPS connections with HSTS, and prevent MIME-type sniffing attacks. Without these headers, your site is more vulnerable to exploitation.
What is a good security headers score?
A good security headers score is A or B grade (80-100%). This typically means implementing at least HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. Grade C (70-79%) is acceptable but has room for improvement. Grades D and F indicate significant security gaps that should be addressed.
What is Content-Security-Policy (CSP)?
Content-Security-Policy (CSP) is a security header that controls which resources (scripts, styles, images, etc.) can be loaded on your page. It prevents XSS attacks by specifying trusted sources for content. A well-configured CSP is one of the most effective defenses against script injection attacks.
What is HSTS (Strict-Transport-Security)?
HSTS (HTTP Strict Transport Security) tells browsers to only connect to your site over HTTPS, even if the user types HTTP. This prevents SSL stripping attacks and ensures all connections are encrypted. Once a browser sees the HSTS header, it will automatically use HTTPS for future visits.
How do I add security headers to my website?
Security headers are typically added in your web server configuration (Apache .htaccess, Nginx config), your application framework, or your CDN/hosting provider's settings. Many hosting platforms like Cloudflare, Netlify, and Vercel also provide easy options to add security headers through their dashboard.
Will security headers break my website?
Most security headers can be implemented safely without breaking functionality. However, Content-Security-Policy requires careful configuration as it can block legitimate resources if too restrictive. Start with a report-only CSP to identify issues before enforcing. Other headers like X-Frame-Options and HSTS are generally safe to implement immediately.