Skip to main content

Security headers checker

Audit CSP, HSTS, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy across your whole site.

Want to see the output first? See a sample report.

HTTP security headers are the cheapest defense you have. A few response headers tell the browser to enforce HTTPS, block clickjacking, stop MIME sniffing, and lock down what scripts can run. Most sites set some of them on the homepage and forget the rest of the site.

squirrelscan checks the security headers on every page it crawls, so a misconfigured subdomain or an app route that skips your header middleware doesn't slip through. You get exactly which headers are missing or weak, and what to set them to.

Headers we audit

Content-Security-Policy (CSP)

The header that controls which scripts, styles, and resources can load. We flag a missing CSP and unsafe directives like unrestricted inline scripts.

Strict-Transport-Security (HSTS)

Forces browsers to use HTTPS. We check that it's present, has a sensible max-age, and doesn't leave the door open on a first plain-HTTP request.

X-Content-Type-Options and X-Frame-Options

Stops MIME-type sniffing and clickjacking. We flag pages that omit nosniff or a frame-ancestors policy.

Referrer-Policy and more

Controls how much URL data leaks to other sites, plus Permissions-Policy and cookie flags where they matter.

Why site-wide beats a single page

A single-page header scanner tells you what your homepage sends. But headers are usually applied by middleware or a CDN rule, and the gaps show up on the routes that bypass it: an old marketing page, a different subdomain, an API endpoint serving HTML. Those are exactly the pages an attacker probes.

squirrelscan checks headers across the pages it crawls and reports the ones that are missing or weak, page by page. You fix the config once and confirm it actually reaches everything.

Keep going

Frequently asked questions

Which security headers matter most?
Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options cover the most common attacks. squirrelscan checks these plus Referrer-Policy and related settings.
Does it check every page or just the homepage?
A cloud audit checks headers across the pages it crawls, so routes that bypass your header middleware or CDN rules get caught too.
Is it free?
The squirrel CLI checks headers locally for free. Cloud audits with hosted crawling use pay-as-you-go credits, and every account starts with a free monthly credit allowance.

Run a full audit

This check is one of 249+ rules squirrel runs across your site. Sign up to run a full cloud audit, or install the CLI and audit locally for free.

Audit your site in one command

SEO, performance, security, accessibility and agent experience issues, with exact fixes for your coding agent.

Install
$

No account needed for the CLI. Cloud audits include free monthly credits.