HTTP Security Headers Checker
Paste raw response headers or curl -I output to review common security headers locally, including CSP, HSTS, and COOP.
Paste raw response headers or curl -I output. If redirects are included, the last response block is scored.
Paste raw HTTP response headers, or curl -I output
What Is an HTTP Security Headers Checker?
The HTTP Security Headers Checker analyzes response headers against OWASP security best practices and scores them on a 0–100 scale. It evaluates Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin headers including COOP, COEP, and CORP. Unlike online scanners that fetch a public URL, this tool operates in paste mode — you copy raw headers from curl -I output, browser DevTools, or your reverse proxy logs and paste them directly into the checker. This design makes it ideal for localhost development servers, staging environments behind VPNs, internal APIs, and any endpoint that is not publicly accessible. No URLs are fetched, no endpoints are exposed, and no header data leaves your browser.
How to Use the HTTP Security Headers Checker
Run curl -I on your target URL or copy response headers from your browser's DevTools Network tab. Paste the raw headers into the input field — the tool accepts full curl output including the status line. Click "Analyze headers" to generate the security report. Each header is scored as Pass, Warn, or Fail with an explanation. If your paste includes multiple response blocks (e.g., from a redirect chain), the checker scores the final response. Review failing checks, update your server configuration, and re-test by pasting the new headers.
Why HTTP Security Headers Matter
Security headers are the first line of defense against XSS, clickjacking, MIME sniffing, and data injection attacks. OWASP lists missing security headers as a common misconfiguration in web applications. A missing Content-Security-Policy lets injected scripts execute freely. Without HSTS, users can be downgraded to HTTP via man-in-the-middle attacks. Missing X-Frame-Options enables clickjacking. Security audits, penetration tests, and compliance frameworks (PCI DSS, SOC 2) all check for these headers. Integrating header checks into your CI/CD pipeline — export headers from a test deployment, paste them here, verify the score — catches regressions before they reach production.
Frequently Asked Questions
Can I paste localhost or staging headers?
Yes. This tool is built for paste mode, so you can review headers from localhost, internal staging, or any private environment without exposing the URL.
Why not fetch the URL directly?
Fetching a URL would fail for many private environments and could leak internal endpoints. Paste mode keeps the workflow private and works anywhere curl or browser devtools can copy headers.
Does a high score guarantee security?
No. The checker highlights common response headers and common misconfigurations, but it is not a full application security audit.
Use this tool inside a bigger workflow
These collections group follow-up tools and guides that commonly belong in the same job.
Browse same tags
Jump to other tools that share the same workflow, format, or use case.