HTTP response headers carry instructions from a server to the browser about security, caching, and content handling. A handful of these headers are the front line against attacks like cross-site scripting, clickjacking, and protocol downgrade. This free analyzer scores a pasted header block so you can see your security posture at a glance — without making any outbound request.
How to capture the headers
You need the raw response header block from the site you want to check. Three ways to get it:
Command line (fastest):
curl -sI https://example.com
Browser dev tools:
- Open DevTools → Network tab.
- Load the page and click the document request (usually the first one).
- Go to the Response Headers panel and copy the header block.
Online proxy (for sites behind auth): Capture the headers from your browser’s Network tab, which includes headers from authenticated sessions that curl cannot reach.
What the analyzer checks
The tool splits your input into Header-Name: value pairs (case-insensitive, repeated headers comma-joined) and runs a weighted rubric:
Content-Security-Policy (highest weight)
CSP is the strongest defence against cross-site scripting. The analyzer awards full points when CSP is present and clean, and reduced points if it contains 'unsafe-inline' or 'unsafe-eval' — directives that allow inline scripts and defeat much of CSP’s XSS protection. A missing CSP loses all CSP points.
Strict-Transport-Security (HSTS)
Protects against protocol downgrade and cookie hijacking by telling browsers to only connect over HTTPS. Full points require a max-age of at least ~180 days (about 15,552,000 seconds). Adding includeSubDomains and preload strengthens it further.
X-Content-Type-Options
Must be nosniff to prevent browsers from MIME-sniffing a response away from its declared Content-Type. Without it, a server that accepts user-uploaded files could be exploited by disguising scripts as images.
X-Frame-Options / CSP frame-ancestors
Prevents clickjacking by controlling whether the page may be embedded in an <iframe>. Either X-Frame-Options: DENY or a Content-Security-Policy: frame-ancestors 'none' directive satisfies this check. The CSP form is newer and more flexible.
Referrer-Policy
Controls what URL is sent in the Referer header when a user navigates away from your page. A policy like strict-origin-when-cross-origin avoids leaking full path URLs to third parties while preserving origin for same-site requests.
Permissions-Policy
Restricts which browser features (camera, microphone, geolocation, payment, etc.) the page and any embedded iframes may access. Presence is checked; a policy of () for every feature you do not use is safest.
Cache-Control
Checked for presence only, because correct values depend on the resource. A missing Cache-Control on sensitive endpoints (authenticated pages, API responses) is flagged as a concern.
Server version disclosure
A Server: Apache/2.4.51 (Ubuntu) header advertises your software and version to attackers. The analyzer flags any Server value that appears to include a version string. Prefer Server: Apache or suppress the header entirely.
Reading the score
Each check contributes weighted points; the total becomes a percentage and a letter grade. A perfect score is a guide, not a requirement — Permissions-Policy depends heavily on what features your site actually uses, and some headers like X-Frame-Options have legitimate reasons to be set to ALLOWALL on certain pages. Treat warnings as prompts to review, not mandates to fix blindly.