Domain Doctorby VASTROX

Free security headers checker · Instant · No signup

Security Headers Checker

Grade your site’s HTTP security headers. Domain Doctor checks HSTS, CSP, X-Content-Type-Options, X-Frame-Options and more, with fixes for each gap.

Try , or your own domain.

What this checks

HTTP security headers are the browser-side defences that stop clickjacking, MIME sniffing, protocol downgrade and cross-site scripting. They cost nothing to add and dramatically raise the bar for attackers.

Domain Doctor inspects your live response headers for HSTS (with includeSubDomains/preload), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options / frame-ancestors, Referrer-Policy and Permissions-Policy, then grades your configuration and shows the exact header to add for each gap.

Common Security Headers Checker errors

  • Missing Strict-Transport-Security (HSTS)
  • No Content-Security-Policy, leaving XSS unmitigated
  • Missing X-Content-Type-Options: nosniff
  • No clickjacking protection (X-Frame-Options / frame-ancestors)
  • Missing Referrer-Policy or Permissions-Policy

VASTROX MANAGED HOSTING

A-grade security headers, configured for you

VASTROX managed hosting ships HSTS, CSP and the full header set tuned to your site — no misconfiguration risk.

  • HSTS, CSP and clickjacking protection
  • Headers tuned to your assets (no breakage)
  • Continuously monitored

Trusted by businesses for hosting, VPS, business email & game servers · Free migration · Real support

Frequently asked questions

Which security headers matter most?

HSTS, Content-Security-Policy, X-Content-Type-Options and a clickjacking protection (X-Frame-Options or CSP frame-ancestors) are the highest-impact. Referrer-Policy and Permissions-Policy round it out.

Will adding headers break my site?

HSTS and nosniff are safe. Content-Security-Policy needs care — start in report-only mode, then enforce once you have tuned it to your assets.