Skip to content

Free security headers checker

Missing security headers leave your app open to cross-site scripting, clickjacking, and downgrade attacks. AI-generated apps almost never set them, because no one tells the model to.

No signup for a shallow scan · we never store your source code

Free · no signup · we never store your source code

  • We prove vulnerabilities by reproducing them — not guesses
  • Tamper-evident record of what your AI agents do
  • We never store your source code

What the agent checks

  • Content-Security-Policy (CSP)
  • Strict-Transport-Security (HSTS)
  • X-Frame-Options / clickjacking protection
  • X-Content-Type-Options and cookie flags

Ask the agent — FAQ

What security headers should my app have?

At minimum: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options, plus Secure + HttpOnly + SameSite cookies. Opviva's free scan reports which are missing.

How do I check my security headers?

Paste your URL and tell Opviva to check it — the agent reads your live response headers and grades them in seconds.

Can Opviva add the missing headers for me?

Yes — once it confirms the gap, the agent opens a reviewed pull request that adds the right headers for your stack, which you approve.