What is View Page Source and how does it work?

View Page Source is a free online tool that lets you inspect the HTML, CSS, and JavaScript source code of any website. Simply enter a URL and our server fetches the page, parses the response, and presents the source code with syntax separation into HTML, CSS, and JavaScript tabs — plus a Full View that combines everything.

How to see the code of a website?

To see the code of a website, simply copy the web address and paste it into our source code viewer above. We will instantly retrieve and format the HTML, CSS, and JavaScript for you to inspect.

Is ViewPageSource free to use?

Yes, ViewPageSource is completely free. You can view the source code of unlimited websites with no registration required.

How is this different from the browser's built-in View Source?

Unlike the browser's built-in Ctrl+U, ViewPageSource separates HTML, CSS, and JavaScript into dedicated tabs, shows line numbers, lets you copy code with one click, and provides a Full View mode.

Can I view the source code of any website?

You can view the source code of any publicly accessible website. Pages behind login walls, firewalls, or that block automated requests may not be fully accessible. Our tool respects robots.txt and is intended for educational and professional development use.

Is it safe to use ViewPageSource?

Absolutely. ViewPageSource only reads publicly available source code — the same code your browser downloads when you visit any website. We don't store the source code, inject anything into websites, or collect personal data beyond basic analytics.

Back to Blog

Web Security

10 Security Headers Every Website Must Have in 2026

A definitive checklist for securing your website using HTTP headers, including modern requirements for CSP, HSTS, and the latest Cross-Origin policies.

ViewPageSource Team April 7, 2026

10 Security Headers Every Website Must Have in 2026

![Security Headers 2026 Checklist](/blog/security-headers-2026.svg)

The Evolving Landscape of Web Security

As we move into 2026, the complexity of web-based attacks has increased, but so has the power of our defenses. HTTP security headers remain one of the most effective, low-effort/high-impact security measures you can implement.

Below is the updated checklist of the 10 essential security headers every modern website must implement to protect users and maintain trust.

1. Content-Security-Policy (CSP) The gold standard for preventing Cross-Site Scripting (XSS) and data injection attacks. In 2026, a "strict" CSP is no longer optional.

Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests;

2. Strict-Transport-Security (HSTS) Ensures that all communication with your server is performed over encrypted HTTPS.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

3. X-Content-Type-Options Prevents the browser from "sniffing" the MIME type of a response, which protects against XSS via uploaded files that mimic executable scripts.

X-Content-Type-Options: nosniff

4. X-Frame-Options Protects against clickjacking by preventing your site from being embedded in an iframe on another domain.

X-Frame-Options: DENY

5. Referrer-Policy Controls how much information the browser includes in the `Referer` header when navigators click links away from your site.

Referrer-Policy: strict-origin-when-cross-origin

6. Permissions-Policy Allows you to explicitly enable or disable browser features like the camera, microphone, or geolocation for your site and its iframes.

Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()

7. Cross-Origin-Opener-Policy (COOP) A critical modern header that helps isolate your site's process from other sites, preventing certain types of side-channel attacks like Spectre.

Cross-Origin-Opener-Policy: same-origin

8. Cross-Origin-Embedder-Policy (COEP) Prevents a document from loading any cross-origin resources that don't explicitly grant permission via CORP.

Cross-Origin-Embedder-Policy: require-corp

9. Cross-Origin-Resource-Policy (CORP) Allows you to control which origins can embed your resources, mitigating the risk of cross-site leaks.

Cross-Origin-Resource-Policy: same-origin

10. Expect-CT (Certificate Transparency) While being phased into standard browser behavior, it remains useful for detecting misissued certificates.

Expect-CT: max-age=86400, enforce

How to Audit Your Headers You can use the ViewPageSource Security Header Checker to instantly see which headers your site is missing and get detailed implementation advice.

Implementing these headers is often as simple as updating your Nginx, Apache, or Vercel configuration. Don't leave your site vulnerable to preventable attacks!

About the Creator: Hassan

WordPress Developer | 2 Years Experience

Hassan is the lead developer and visionary behind ViewPageSource. As a Computer Science student and WordPress specialist with 2 years of experience in custom theme and plugin development, he built this tool to bring transparency to the web. Hassan focuses on creating high-performance, developer-centric applications that help others understand and audit the technology stacks behind their favorite websites.

View Portfolio Work with Hassan →

Ready to optimize your site?

Use our professional tools to analyze your source code and technical SEO health in seconds.

Start for Free →