Security Headers Analyzer
Paste your HTTP response headers to check for missing or weak security headers. Get actionable recommendations for each header.
About HTTP Security Headers
Security headers are HTTP response headers that instruct browsers to enable or disable security features. They are a critical layer of defense against common web attacks including cross-site scripting (XSS), clickjacking, MIME-type sniffing, and protocol downgrade attacks.
Content-Security-Policy (CSP) is the most important security header — it controls which resources (scripts, styles, images) the browser is allowed to load. A strict CSP can eliminate most XSS attack vectors. HSTS ensures browsers always connect via HTTPS, preventing SSL-stripping attacks.
The Cross-Origin headers (COOP, CORP, COEP) provide process-level isolation, protecting against Spectre-class side-channel attacks. Together, they enable crossOriginIsolated mode, which is required for features like SharedArrayBuffer.
Raw HTTP response headers split into key-value pairs — each header checked against security best practices
Verify critical headers exist: CSP, HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
Check header values for strength — e.g., HSTS max-age ≥ 31536000, X-Frame-Options DENY vs SAMEORIGIN
Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy checked for isolation
Each header scored as present (secure), weak (needs improvement), or missing (vulnerable) with recommendations
Spec: OWASP Secure Headers Project, MDN HTTP Headers