No headers in the "all" category.
example.com returns 0 HTTP headers with a security score of 0/100. Missing security headers: strict-transport-security, content-security-policy, x-frame-options, x-content-type-options, referrer-policy, permissions-policy.
Security headers are HTTP response headers that tell browsers how to handle your site's content securely. They defend against XSS (Cross-Site Scripting), clickjacking, MIME sniffing, and protocol downgrade attacks. Key headers include Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options.
Add them in your web server configuration. In Nginx: use `add_header` directives. In Apache: use `mod_headers`. On Cloudflare: use Transform Rules. In Next.js: configure in next.config.js under `headers()`. Most headers require no application code changes — just server config.
X-Powered-By reveals your server technology (PHP/7.4, Express, ASP.NET). This information helps attackers find known vulnerabilities for your stack. Remove it: in Express.js with `app.disable("x-powered-by")`, in PHP by setting `expose_php = Off` in php.ini, in Apache with `Header unset X-Powered-By`.
A score of 100 means all six critical security headers are present: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. This is an excellent baseline, though the actual values of each header also matter — a weak CSP policy scores the same as a strong one.