Zero Snippet

Security headers checker — grade CSP, HSTS, and hardening online

Scan a public HTTPS URL or paste raw HTTP response headers to see how your site scores on Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, clickjacking controls, Referrer-Policy, and related signals. Built for developers, site owners, and security reviewers who need a fast, repeatable security header audit before production releases or compliance reviews.

How to use this security headers analyzer

Choose Live URL and enter a fully qualified address (we prepend https:// when you omit the scheme). Submit to run a server-side fetch with our public-URL safety rules. You will get a numeric score, letter grade, and a checklist explaining each finding. Use Paste or upload when you already have headers from curl -I, a browser, or a proxy—TLS behavior is not verified in that mode, so confirm HTTPS separately or re-run as a live scan. Copy the markdown report to attach to tickets or change requests. For every raw header name and value without scoring, open our HTTP header checker.

Security headers checklist (what we look for)

Transport: live scans expect HTTPS end-to-end. HSTS should use a sensible max-age once you are confident in TLS. CSP reduces XSS impact; iterate with report-only policies before enforcement. X-Content-Type-Options: nosniff avoids MIME sniffing surprises. Frame protection comes from X-Frame-Options or CSP frame-ancestors (avoid * unless you truly need universal embedding). Referrer-Policy and Permissions-Policy tighten data leakage and powerful APIs. Draft CSP with our CSP builder, then validate here after deployment.

Why security headers matter for web apps and APIs

Browsers enforce headers to constrain scripts, framing, and cross-origin interactions. A missing or overly permissive CSP can leave room for XSS payloads; weak frame controls expose clickjacking; missing nosniff increases MIME confusion risk. Headers do not replace secure coding or input validation, but they add defense-in-depth that scales across pages and microservices. Pair this audit with certificate hygiene using our SSL certificate checker and redirect correctness with the redirect chain checker.

Interpreting scores and grades

The score weights presence and quality of common headers; it is not a penetration test or compliance certification. A high grade means the response aligns with common baseline hardening guidance—still review CSP directives for your specific third-party scripts, APIs, and iframes. A low grade usually means missing CSP, missing frame protection, or HTTP-only delivery. Re-scan after each CDN or edge config change because headers are often set at the edge, not only on origin.

Related security and website tools

Explore the full security & encryption tools collection, or jump to adjacent utilities below. For JWT and signing workflows after you lock down transport, see the JWT encoder and HMAC generator.

  • Password Strength MeterScore password entropy, estimate crack time, and get practical hardening tips.
  • bcrypt Hash GeneratorGenerate bcrypt hashes with configurable cost for secure password storage testing.
  • AES Encrypt & DecryptEncrypt and decrypt text with AES-256 and a passphrase—runs fully in your browser.
  • RSA Key Pair GeneratorCreate 1024–4096 bit RSA public/private key pairs locally for demos and dev workflows.
  • CSP BuilderToggle Content-Security-Policy directives and copy a header value ready for your server.
  • JWT EncoderBuild HS256-signed JWTs from custom header and payload for API and auth testing.
  • HMAC GeneratorCreate HMAC-SHA256 or HMAC-SHA512 signatures with a secret for webhook and API verification.
  • SSL Certificate DecoderPaste PEM certificates to read subject, issuer, SANs, and validity windows.
  • .htaccess GeneratorAssemble common Apache .htaccess rules for redirects, HTTPS, caching, and access control.

Frequently asked questions

What is a security headers checker?
It fetches a public HTTPS page (or analyzes headers you paste) and scores common HTTP security headers—such as HSTS, CSP, X-Content-Type-Options, frame protection, and Referrer-Policy—so you can harden responses before attackers probe them.
How is this different from a generic HTTP header checker?
Our general HTTP header checker lists every response header for debugging. This tool focuses on security signals, explains gaps in plain language, and assigns a grade. Use both together: raw inspection for detail, this page for prioritization.
Does the scan follow redirects?
Yes. We resolve redirects up to a safe hop limit and evaluate headers from the final response, matching how browsers and many clients see your site. For a hop-by-hop list, use the redirect chain checker.
Why might my score differ from Mozilla Observatory or similar tools?
Different scanners weight headers differently, use different probes (GET vs HEAD, user-agent, geography), and may test multiple paths. Treat this score as a guided checklist, not a certification—align with your threat model and compliance requirements.
Which headers matter most for production web apps?
Typically: HTTPS with HSTS, a strict Content-Security-Policy, X-Content-Type-Options: nosniff, clickjacking controls via CSP frame-ancestors or X-Frame-Options, and Referrer-Policy. Permissions-Policy and COOP/CORP add defense-in-depth for sensitive applications.
Can I analyze headers without fetching a live URL?
Yes. Paste raw header lines (for example from curl -I or a proxy) or upload a small text file. Analysis runs in your session so you can review staging configs without exposing internal hosts to our fetcher.
Can I check localhost or private IP addresses?
Live URL scans only allow public http(s) hosts that resolve to non-private addresses—the same SSRF protections as our other website tools. For private environments, use paste/upload mode with headers copied from your server or proxy.
How do I fix a missing Content-Security-Policy?
Start with a minimal policy (for example default-src 'self'), use nonces or hashes for scripts instead of unsafe-inline where possible, and iterate using report-only mode first. Our CSP builder helps draft a policy you can paste into server config.