How to use the HTTP Security Headers Analyzer
Paste your HTTP response headers — from curl -I, browser DevTools, a proxy capture, or an API client — and get a graded local audit covering CSP, HSTS, CORS, cookie flags, caching, information leakage, framing, and privacy headers. Includes copy-ready snippets for NGINX, Apache, Express, Spring, ASP.NET, Netlify, and Vercel. Recommendations adapt to whether the response is an HTML page or a JSON API. Everything runs in your browser; headers are never uploaded.
How to use it
- Capture response headers with
curl -I https://your-site.example, browser DevTools (Network → Headers → Response), or an API client.
- Paste the headers into the analyzer.
- Pick the response context: HTML page, JSON API, static asset, etc.
- Review the grade, missing headers, weak values, and copy the platform-specific fix snippet.
- Roll out CSP changes in
Content-Security-Policy-Report-Only mode first.
When to use it
- You need a quick security check before signing off a release.
- You are reviewing a third-party API and want to confirm sane response-header defaults.
- You are comparing two environments (staging vs prod) for header drift.
- You need copy-ready NGINX / Apache / Express / Spring / ASP.NET / Netlify / Vercel snippets.
What it checks
- Transport security:
Strict-Transport-Security — max-age, includeSubDomains, preload readiness.
- Browser protections:
Content-Security-Policy directives (wildcards, unsafe-inline, unsafe-eval, object-src, frame-ancestors), X-Content-Type-Options.
- Framing & isolation:
X-Frame-Options, CSP frame-ancestors, COOP / COEP / CORP, Origin-Agent-Cluster.
- Privacy:
Referrer-Policy, Permissions-Policy (camera, microphone, geolocation, payment).
- CORS:
Access-Control-Allow-Origin wildcard + credentials, missing Vary: Origin, overbroad methods/headers.
- Cookies:
Secure, HttpOnly, SameSite, __Host- / __Secure- prefix rules, SameSite=None without Secure.
- Cache & privacy:
Cache-Control, Vary, Clear-Site-Data, personalized response cache risk.
- Info leakage:
Server, X-Powered-By, ASP.NET version, internal hosts.
- Deprecated:
X-XSS-Protection, Public-Key-Pins (HPKP), Expect-CT, Feature-Policy.
Tips & pitfalls
- The tool never fetches your site or runs a live scan — paste-only by design. Use a separate scanner if you want network probing.
- A strict CSP can break apps. Roll out with
Content-Security-Policy-Report-Only and verify report-uri / report-to before enforcement.
frame-ancestors in CSP supersedes X-Frame-Options in modern browsers — keep both for legacy defense.SameSite=None requires Secure or browsers reject the cookie.__Host- cookies must have Secure, Path=/, and no Domain attribute.- For API JSON responses, focus on CORS, cookies, and
Cache-Control; CSP is usually not load-bearing unless rendered in a browser.
FAQ
- Does this fetch my website? No. The tool never makes network requests — it analyzes pasted text locally.
- Does this upload my headers? No. Parsing, scoring, snippet generation, and reports all run in your browser.
- Why isn't checking only header presence enough? Many headers (CSP, CORS, HSTS) can be present but unsafe (
unsafe-inline, wildcard *, max-age=0). This tool validates values, not just presence.
- Can strict headers break my site? Yes. Aggressive CSPs, framing policies, and COEP can break legitimate embeds. Test in staging and use Report-Only for CSP.
- What grade should I aim for? A or A+ is reasonable for production HTML pages. APIs and static assets can score differently because not every header applies.
- How is this different from securityheaders.com / Mozilla Observatory? Those scan a live URL from a server. This tool analyzes pasted headers locally — useful for headers behind auth, internal tools, or staging.
- How do I generate a Content-Security-Policy? Start with the recommended baseline emitted by the analyzer, deploy in Report-Only mode, collect violation reports, and tighten.
Runs locally in your browser. No uploads. The tool never fetches a URL — it analyzes pasted headers only.
Related guides
