Security headers checker
Audit CSP, HSTS, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy across your whole site.
Want to see the output first? See a sample report.
HTTP security headers are the cheapest defense you have. A few response headers tell the browser to enforce HTTPS, block clickjacking, stop MIME sniffing, and lock down what scripts can run. Most sites set some of them on the homepage and forget the rest of the site.
squirrelscan checks the security headers on every page it crawls, so a misconfigured subdomain or an app route that skips your header middleware doesn't slip through. You get exactly which headers are missing or weak, and what to set them to.
Headers we audit
Content-Security-Policy (CSP)
The header that controls which scripts, styles, and resources can load. We flag a missing CSP and unsafe directives like unrestricted inline scripts.
Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS. We check that it's present, has a sensible max-age, and doesn't leave the door open on a first plain-HTTP request.
X-Content-Type-Options and X-Frame-Options
Stops MIME-type sniffing and clickjacking. We flag pages that omit nosniff or a frame-ancestors policy.
Referrer-Policy and more
Controls how much URL data leaks to other sites, plus Permissions-Policy and cookie flags where they matter.
Why site-wide beats a single page
A single-page header scanner tells you what your homepage sends. But headers are usually applied by middleware or a CDN rule, and the gaps show up on the routes that bypass it: an old marketing page, a different subdomain, an API endpoint serving HTML. Those are exactly the pages an attacker probes.
squirrelscan checks headers across the pages it crawls and reports the ones that are missing or weak, page by page. You fix the config once and confirm it actually reaches everything.
Keep going
Turn header findings into fixes with your coding agent.
See a sample reportA real audit, including the security section.
MDN: HTTP headersThe reference for every header we check.
Frequently asked questions
- Which security headers matter most?
- Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options cover the most common attacks. squirrelscan checks these plus Referrer-Policy and related settings.
- Does it check every page or just the homepage?
- A cloud audit checks headers across the pages it crawls, so routes that bypass your header middleware or CDN rules get caught too.
- Is it free?
- The squirrel CLI checks headers locally for free. Cloud audits with hosted crawling use pay-as-you-go credits, and every account starts with a free monthly credit allowance.
Run a full audit
This check is one of 249+ rules squirrel runs across your site. Sign up to run a full cloud audit, or install the CLI and audit locally for free.