Press / to search

HTTP Security Headers Checker

Paste raw response headers or curl -I output to review common security headers locally, including CSP, HSTS, and COOP.

Paste mode only. Header analysis runs locally, so private staging and localhost responses stay on your device.

Paste raw response headers or curl -I output. If redirects are included, the last response block is scored.

0 bytes

Paste raw HTTP response headers, or curl -I output

You just tested your HTTP Security Headers Checker — Try Log Formatter next →

What Is an HTTP Security Headers Checker?

HTTP security headers tell the browser how to handle cross-origin requests, script execution, mixed content, and embedded contexts — they are the cheapest hardening you can ship because the only cost is a config edit. The checker scores against the OWASP Secure Headers Project recommendations and the Mozilla Observatory rubric. Key headers it evaluates: Content-Security-Policy (whitelist allowed script/style/img origins; the default-src 'self' baseline blocks most XSS), Strict-Transport-Security (HSTS — forces HTTPS for max-age seconds; values >=31536000 with includeSubDomains; preload are eligible for the HSTS Preload list at hstspreload.org baked into Chrome / Firefox / Safari), X-Content-Type-Options: nosniff (stops browsers from MIME-sniffing .txt as HTML), X-Frame-Options: DENY / CSP frame-ancestors (anti-clickjacking — frame-ancestors is the modern CSP equivalent and overrides X-Frame-Options), Referrer-Policy (controls what Origin/path leaks to third parties), Permissions-Policy (formerly Feature-Policy — opt out of camera, microphone, geolocation), and the Cross-Origin Isolation trio COOP / COEP / CORP that gates SharedArrayBuffer and high-resolution timers. Unlike URL-based scanners (securityheaders.com, Mozilla Observatory), this tool accepts pasted headers from curl -I or DevTools, so internal endpoints behind VPN or localhost still get scored without exposing them.

How to Use the HTTP Security Headers Checker

Run curl -sI https://your.endpoint/ or copy from DevTools -> Network -> Headers -> Response. Paste the full block including the status line (HTTP/2 200). The checker tolerates redirects (301/302/307/308) and scores the final response. Each header is evaluated against the OWASP recommended value: Pass (matches recommendation), Warn (present but weak — e.g., HSTS max-age=300 is too short to be effective), Fail (missing or actively unsafe — e.g., Access-Control-Allow-Origin: * with credentialed endpoints). The report links each finding to the relevant MDN docs and the OWASP cheat-sheet. A common trap: setting both X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none' is redundant but not wrong — frame-ancestors wins on modern browsers, X-Frame-Options remains for legacy. CSP 'unsafe-inline' in script-src defeats the policy for XSS protection; flagged as Fail even if the rest of CSP is solid.

Why HTTP Security Headers Matter

Missing security headers are the most common finding in penetration tests because they are invisible: a site can serve the right HTML and still fail an audit because the response headers are wrong. PCI DSS 4.0 (March 2025), SOC 2 Trust Service Criteria, and the ISO 27001:2022 Annex A 8.26 all flag missing CSP / HSTS / X-Frame-Options as control gaps. The cost of fixing is one line in your reverse proxy (add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; in nginx, one block in vercel.json headers, three lines in Cloudflare Workers) — but undiscovered until an auditor or a competitor's security write-up surfaces it. CI-integrated header checking catches regressions: a deploy that flips your CSP from default-src 'self' to default-src * because someone debugging copy-pasted the wrong rule. Running the headers through this checker before merging the deploy PR catches the diff.

Frequently Asked Questions

Can I paste localhost or staging headers?

Yes. This tool is built for paste mode, so you can review headers from localhost, internal staging, or any private environment without exposing the URL.

Why not fetch the URL directly?

Fetching a URL would fail for many private environments and could leak internal endpoints. Paste mode keeps the workflow private and works anywhere curl or browser devtools can copy headers.

Does a high score guarantee security?

No. The checker highlights common response headers and common misconfigurations, but it is not a full application security audit.

These collections group follow-up tools and guides that commonly belong in the same job.

Developer Data Workflows

Format, inspect, convert, and validate payloads in the browser when you need a fast dev workflow without opening heavier tooling.

Open collection →

Browse same tags

Jump to other tools that share the same workflow, format, or use case.

Data 8Security 3

Helpful next-step tools based on what you're doing now.

Log Formatter

Paste JSON, nginx, Docker, syslog, or plain logs to normalize, filter by level, and inspect them locally in your browser.

Data Formatting Text

JWT Decoder

Decode JWT headers and payloads locally in your browser. Inspect claims, expiry, issuer, and timestamps without sending tokens anywhere.

Data Security Text

JSON Formatter & Validator

Format, validate, and minify JSON instantly in your browser. Zero network requests — your data never leaves your device.

Data Formatting Text