Security Headers Analyzer

Analyze HTTP security headers for missing HSTS, CSP, X-Frame-Options, Permissions-Policy, and Referrer-Policy

Enter HTTP response headers in "Header-Name: value" format, one per line

Analyzing HTTP Security Headers

HTTP security headers are the first line of defense against common web attacks — cross-site scripting (XSS), clickjacking, MIME-type confusion, and man-in-the-middle attacks. Properly configured headers instruct browsers to enforce security policies that prevent entire classes of vulnerabilities without requiring changes to application code. Missing headers leave your application exposed to attacks that modern browsers can otherwise block automatically.

The Security Headers Analyzer evaluates your HTTP response headers against industry best practices, checking for Strict-Transport-Security (HSTS), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each missing or misconfigured header receives a severity rating and specific configuration recommendations. All analysis happens locally in your browser.

Essential Security Headers

These headers should be present on every production web application:

  • Strict-Transport-Security (HSTS): Forces browsers to use HTTPS for all future requests, preventing SSL stripping attacks. Recommended: max-age=31536000; includeSubDomains; preload
  • Content-Security-Policy (CSP): Controls which resources the browser is allowed to load, preventing XSS and data injection attacks.
  • X-Content-Type-Options: Prevents MIME-type sniffing. Always set to nosniff.
  • X-Frame-Options: Prevents clickjacking by controlling iframe embedding. Set to DENY or SAMEORIGIN.
  • Referrer-Policy: Controls how much referrer information is sent with requests. Recommended: strict-origin-when-cross-origin.
  • Permissions-Policy: Disables browser features your site does not use (camera, microphone, geolocation) to reduce attack surface.

Common Misconfigurations

The analyzer detects headers that are present but incorrectly configured:

  • Short HSTS max-age: Values under 6 months provide insufficient protection. Browsers forget the policy too quickly, allowing downgrade attacks between visits.
  • CSP with unsafe-inline: Allowing inline scripts defeats most of CSP's XSS protection. Use nonces or hashes instead.
  • Permissive CSP sources: Wildcards (*) or overly broad domains allow attackers to load malicious resources from any CDN or subdomain.
  • Missing HSTS includeSubDomains: Subdomains remain vulnerable to SSL stripping even when the main domain has HSTS.
  • Deprecated headers: X-XSS-Protection is deprecated in modern browsers and can actually introduce vulnerabilities in some edge cases.

Security Scoring and Prioritization

The analyzer assigns a security score based on header presence and configuration quality, helping teams prioritize which headers to implement first:

  • Critical (immediate fix): Missing HSTS on sites handling authentication or payments
  • High (fix this sprint): Missing CSP, missing X-Content-Type-Options
  • Medium (plan for next quarter): Missing Permissions-Policy, weak Referrer-Policy
  • Low (nice to have): Missing optional headers like Cross-Origin-Embedder-Policy

Implementing headers incrementally is recommended — start with X-Content-Type-Options (risk-free), add HSTS with a short max-age (reversible), then build CSP in report-only mode before enforcing. This approach prevents breaking your application while progressively hardening security. Each header addition should be tested in staging before production deployment to confirm no legitimate functionality is blocked by the new policy. The analyzer re-evaluates your score after each header is added, showing measurable security improvement over time.

Code Examples

Recommended Security Headers Configuration (Nginx)

# Nginx server block — security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

# Remove server version disclosure
server_tokens off;

Frequently Asked Questions

What security headers does this tool check?

The Security Headers Analyzer evaluates six key HTTP security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. It detects missing headers, weak configurations, and deprecated directives.

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues deduct 25 points, High issues (like missing HSTS or CSP) deduct 15, Medium issues (like missing X-Frame-Options or short HSTS max-age) deduct 8, and Low issues (like missing Permissions-Policy) deduct 3. The final score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

What format should the input be?

Enter HTTP response headers in the standard "Header-Name: value" format, one header per line. You can paste the full response headers from browser DevTools (Network tab → Response Headers) or just the security-relevant headers. HTTP status lines (e.g., "HTTP/1.1 200 OK") are automatically skipped.

Is my data sent to a server?

No. All analysis happens entirely in your browser using JavaScript. Your HTTP headers — which may contain internal infrastructure details — are never transmitted to any server. No data is stored, logged, or shared.

Why is Strict-Transport-Security (HSTS) important?

HSTS tells browsers to always connect via HTTPS, preventing protocol downgrade attacks and cookie hijacking. Without HSTS, an attacker on the same network could intercept the initial HTTP request and redirect users to a malicious site. A max-age of at least 1 year (31536000) with includeSubDomains is recommended.

Why is missing Content-Security-Policy flagged as high severity?

CSP is the most effective defense against Cross-Site Scripting (XSS) attacks. Without it, an attacker who can inject HTML into your page can execute arbitrary JavaScript. Even a basic CSP like "default-src 'self'" significantly reduces the attack surface.

What is the difference between this tool and the CSP Inspector?

The Security Headers Analyzer checks all HTTP security headers at a high level — whether they are present and properly configured. The CSP Inspector performs deep analysis of CSP directive content (individual sources, missing directives, hardened version). Use this tool for a broad security posture overview, and the CSP Inspector for detailed CSP analysis.

Why is X-Frame-Options still relevant if I have CSP frame-ancestors?

CSP frame-ancestors supersedes X-Frame-Options in modern browsers, but older browsers may not support CSP. Setting both provides defense in depth. Use X-Frame-Options: DENY or SAMEORIGIN alongside CSP frame-ancestors for maximum compatibility.

What is a good Referrer-Policy value?

strict-origin-when-cross-origin is the recommended default — it sends only the origin (not full path/query) for cross-origin requests while preserving full referrer for same-origin navigation. Avoid unsafe-url which leaks the full URL to all origins, and no-referrer-when-downgrade which sends the full URL to HTTPS origins.