Security Header Checker
A fully client-side security header analyzer that evaluates HTTP response headers for essential protections like HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin policies. Paste raw headers from curl -I, browser DevTools, or any HTTP client and receive an A-F security grade with a weighted scoring algorithm (100 points total). Each header gets a PASS, WARNING, or FAIL verdict with specific feedback on misconfiguration. The calculation checks not just presence but correct values: HSTS max-age duration thresholds, CSP unsafe-inline detection, and Permissions-Policy feature counts. The checker also generates ready-to-use server configuration snippets for Nginx, Apache, .htaccess, Caddy, and Cloudflare Workers, covering only the headers your site is missing. Ideal for web developers auditing their deployments, DevOps engineers hardening production servers, and security professionals reviewing third-party configurations. Everything runs in your browser with zero external requests.
Paste your HTTP response headers to analyze security configuration. 100% client-side, nothing leaves your browser.
How to get your headers:
curl -I https://yoursite.com in your terminal and paste the output.wget --server-response --spider https://yoursite.com 2>&1 and paste the headers.Enter values for each security header (leave blank if not present on your site).
Security Grade
Header Analysis
Recommendations
Generate Server Config
Get recommended header configuration for missing headers.
How to Use This Tool
- Get your headers - Run
curl -I https://yoursite.comin a terminal, or open browser DevTools (F12), go to the Network tab, click a request, and copy the Response Headers section. - Paste and analyze - Paste the raw header output into the textarea and click Analyze Headers. Alternatively, switch to Manual Entry mode and fill in individual header values.
- Review results - See your A-F security grade, per-header PASS/WARNING/FAIL verdicts, and actionable recommendations. Then generate server config snippets for any missing headers.
Why This Method?
HTTP security headers are the first line of defense against common web attacks. HSTS (Strict-Transport-Security) forces HTTPS connections preventing SSL stripping, CSP (Content-Security-Policy) blocks XSS attacks by controlling resource loading, X-Frame-Options prevents clickjacking, and Referrer-Policy controls what information leaks to third parties. Sites without these headers are vulnerable to trivial attacks.
The weighted grading system reflects real-world priority: HSTS and CSP are worth 20 points each (critical), X-Frame-Options is 15 points (important), and others range from 5-10 points. Headers are not just checked for presence but validated for correct values. For example, an HSTS max-age under 6 months or a CSP with unsafe-eval earns a WARNING rather than a full PASS. This approach catches common misconfigurations that a simple present/absent check would miss.
By analyzing pasted headers instead of making live requests, this tool avoids CORS restrictions entirely and works with any site. You control the data source: use curl for production servers, DevTools for staging, or manual entry to plan a new configuration before deploying.