Frequently Asked Questions
Common questions about the VAPT Experts Security Headers Scanner.
Is this security headers scanner free?
Yes, completely free. No account required, no scan limits, no data stored.
Does scanning a website affect its performance?
No. The scanner sends a single HEAD request which only retrieves headers without downloading page content.
Are my scans private?
Yes. The only data sent to our backend is the URL to scan. We return headers and immediately discard them. No logs, no history, no tracking.
Can I scan internal or staging sites?
Use the Raw Headers mode. Copy headers from your browser DevTools or tools like curl and paste them for analysis without any backend call.
Why does my site score low even though it has HTTPS?
HTTPS is the transport layer. Security headers are application-layer controls. A site can have valid TLS/SSL but still be missing CSP, HSTS, X-Frame-Options, and other critical headers.
What is the difference between this tool and SecurityHeaders.com?
SecurityHeaders.com shows what is wrong. VAPT Experts shows you exactly how to fix it — with copy-paste configurations for 13+ platforms including Nginx, Apache, IIS, Cloudflare, Express, Next.js, and more.
Will adding security headers break my website?
Most headers are safe. Content-Security-Policy is the exception — a strict CSP may break third-party scripts, analytics, or payment gateways. Always test CSP in Report-Only mode first, monitor violations, then enforce.
Does this tool do a full security assessment?
No. This tool checks only visible HTTP response headers. It does not test authentication, authorization, SQL injection, XSS vulnerabilities in your code, business logic, or API security. For that, request a professional VAPT.
What is HSTS and why does it matter?
HTTP Strict Transport Security forces browsers to only access your site via HTTPS. Without it, an attacker can perform an SSL stripping attack to intercept traffic even on an HTTPS site.
What is Content Security Policy (CSP)?
CSP is an HTTP header that restricts which resources a browser can load. It is the primary defense against Cross-Site Scripting (XSS) attacks by whitelisting trusted sources.
Why are cookies flagged in the scan results?
Cookies without Secure, HttpOnly, or SameSite flags are vulnerable to theft via network interception, JavaScript access, or cross-site request forgery. Session cookies without these flags are a critical risk.
How often should I run a security headers scan?
After every major deployment, CDN change, web server update, or new third-party integration. At minimum, run quarterly as part of security hygiene.