Which security headers does the tool check?

The analyzer checks for Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-* headers. Each is rated present, misconfigured, or missing.

How do I get my HTTP headers to paste in?

In Chrome DevTools, open the Network tab, click a request, and copy the Response Headers section. Alternatively, run curl -I https://example.com in your terminal and paste the output. The analyzer accepts raw header text in either format.

What is Content Security Policy and why does it matter?

Content Security Policy (CSP) is a response header that restricts which scripts, styles, and other resources a browser can load on your page. A well-configured CSP is the most effective defense against cross-site scripting (XSS) attacks.

HTTP Header Checker

Paste HTTP response headers and check for missing or misconfigured security headers. Flags CSP, HSTS, X-Frame-Options, and more.

Raw HTTP Headers

Recommended Profiles

Copy-ready header config for nginx, Apache, and Cloudflare Workers.

nginx

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

Apache (.htaccess)

Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self';"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"

Cloudflare Workers

response.headers.set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self';");
response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
response.headers.set("X-Frame-Options", "SAMEORIGIN");
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=()");

Common Use Cases

Pre-launch security auditCopy response headers from your staging environment and run them through the checker to catch missing HSTS or CSP headers before going live.
Third-party service reviewCheck the security headers returned by an embedded third-party widget or iframe to understand what security policies it enforces.
Penetration test prepUse the header checker as a quick first pass before a formal security assessment to identify obvious misconfiguration issues to fix early.

Pro plan — coming soon

Save your history, create reusable presets, and share outputs with a link. One plan, all tools.

See what's planned →

Frequently Asked Questions

Related Tools

CORS Tester

Send a real preflight and actual request to any URL and diagnose the CORS configuration. Identifies missing or misconfigured Allow-Origin, methods, and credentials headers.

Redirect Checker

Follow HTTP redirect chains for any URL. See every hop with status code, Location header, and timing. Debug redirect loops, broken chains, and final destinations.

API Request Builder

Build and send HTTP requests from your browser. Set method, headers, and body, then see the full response with status, headers, and body. Server-side proxy avoids CORS restrictions.