Free, browser-based utilities for everyday developer workflows

Analyze HTTP security headers

Paste a response's headers and see which security headers are present, missing, or weak — HSTS, Content-Security-Policy, X-Content-Type-Options, and more — with a short explanation of each.

Open this example in HTTP Security Headers Analyzer

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in HTTP Security Headers Analyzer →

The problem

Security headers are easy to forget and hard to audit by eye. Missing HSTS, a permissive CSP, or no X-Content-Type-Options leaves a site exposed. Pasting the response headers and getting a checklist of what is set, missing, or weak makes the gaps obvious.

Sample input

Response headers
HTTP/2 200
content-type: text/html; charset=utf-8
strict-transport-security: max-age=31536000

Expected output

Findings
Strict-Transport-Security   present (max-age 31536000)
Content-Security-Policy     MISSING - add a policy to limit script sources
X-Content-Type-Options      MISSING - add nosniff
X-Frame-Options             MISSING - add DENY or use CSP frame-ancestors

HSTS is set, but the missing CSP and nosniff headers are the highest-impact gaps to close next.

How to do it

  1. Copy the response headers.
  2. Paste them into the analyzer.
  3. Review which security headers are present.
  4. See which are missing or weak, with the fix.
  5. Add the recommended headers to your server config.

Common mistakes

  • Setting HSTS without including subdomains where appropriate.
  • A Content-Security-Policy so broad it provides no protection.
  • Forgetting X-Content-Type-Options: nosniff.
  • Relying on X-Frame-Options instead of CSP frame-ancestors.
  • Setting headers on the app but not on error or redirect responses.

Related tools

Related guides

FAQ

Which HTTP security headers should I set?

At minimum Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options: nosniff, and a framing control such as X-Frame-Options or CSP frame-ancestors.

What does Strict-Transport-Security do?

HSTS tells browsers to use HTTPS for the domain for a set max-age, preventing downgrade and cookie-hijacking over plain HTTP.

Why do I need X-Content-Type-Options: nosniff?

It stops browsers from MIME-sniffing a response into a different content type, which can turn an upload or response into an executable script.

Is X-Frame-Options still needed with CSP?

CSP frame-ancestors supersedes X-Frame-Options in modern browsers, but setting both covers older clients that do not honor CSP.

Are my headers uploaded?

No. The analysis runs locally in your browser. Your headers are not sent to a server.

Header analysis runs locally in your browser. Nothing is uploaded.

Explore more security and debugging tools

Analyze security headers, parse headers, decode tokens and sanitize captures — grouped in one place.

View the security & debugging toolkit →