Security Headers Analyzer

Analyze HTTP security headers for missing HSTS, CSP, X-Frame-Options, Permissions-Policy, and Referrer-Policy

Enter HTTP response headers in "Header-Name: value" format, one per line

What is the Security Headers Analyzer?

The Security Headers Analyzer is a client-side tool that evaluates HTTP response headers for security weaknesses and missing protections. It checks for the presence and proper configuration of critical security headers including HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

How to Use

  1. Copy your HTTP response headers from browser DevTools (Network tab → Response Headers)
  2. Paste them into the input field
  3. Click "Analyze" or wait for automatic processing
  4. Review findings with severity ratings (Critical, High, Medium, Low)
  5. Follow the recommendations to improve your security posture

Example: Minimal Headers (Weak Security)

A server with only basic headers and no security protections:

Content-Type: text/html; charset=utf-8
Server: nginx/1.21.0
X-Powered-By: Express

Example: Well-Configured Security Headers

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

Headers Evaluated

  • Strict-Transport-Security (HSTS) — Forces HTTPS connections, prevents protocol downgrade attacks
  • Content-Security-Policy (CSP) — Controls resource loading, prevents XSS and injection attacks
  • X-Frame-Options — Prevents clickjacking by controlling iframe embedding
  • X-Content-Type-Options — Prevents MIME-sniffing attacks
  • Referrer-Policy — Controls referrer information sent with requests
  • Permissions-Policy — Restricts browser feature access (camera, mic, geolocation)

Security Scoring

Each header set receives a score from 0 to 100. Severity weights are: Critical (25 points), High (15 points), Medium (8 points), Low (3 points). The score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Privacy and Security

All analysis happens entirely in your browser using JavaScript. Your HTTP headers — which may reveal internal infrastructure details — are never transmitted to any server. No data is stored, logged, or shared.

Frequently Asked Questions

What security headers does this tool check?

The Security Headers Analyzer evaluates six key HTTP security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. It detects missing headers, weak configurations, and deprecated directives.

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues deduct 25 points, High issues (like missing HSTS or CSP) deduct 15, Medium issues (like missing X-Frame-Options or short HSTS max-age) deduct 8, and Low issues (like missing Permissions-Policy) deduct 3. The final score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

What format should the input be?

Enter HTTP response headers in the standard "Header-Name: value" format, one header per line. You can paste the full response headers from browser DevTools (Network tab → Response Headers) or just the security-relevant headers. HTTP status lines (e.g., "HTTP/1.1 200 OK") are automatically skipped.

Is my data sent to a server?

No. All analysis happens entirely in your browser using JavaScript. Your HTTP headers — which may contain internal infrastructure details — are never transmitted to any server. No data is stored, logged, or shared.

Why is Strict-Transport-Security (HSTS) important?

HSTS tells browsers to always connect via HTTPS, preventing protocol downgrade attacks and cookie hijacking. Without HSTS, an attacker on the same network could intercept the initial HTTP request and redirect users to a malicious site. A max-age of at least 1 year (31536000) with includeSubDomains is recommended.

Why is missing Content-Security-Policy flagged as high severity?

CSP is the most effective defense against Cross-Site Scripting (XSS) attacks. Without it, an attacker who can inject HTML into your page can execute arbitrary JavaScript. Even a basic CSP like "default-src 'self'" significantly reduces the attack surface.

What is the difference between this tool and the CSP Inspector?

The Security Headers Analyzer checks all HTTP security headers at a high level — whether they are present and properly configured. The CSP Inspector performs deep analysis of CSP directive content (individual sources, missing directives, hardened version). Use this tool for a broad security posture overview, and the CSP Inspector for detailed CSP analysis.

Why is X-Frame-Options still relevant if I have CSP frame-ancestors?

CSP frame-ancestors supersedes X-Frame-Options in modern browsers, but older browsers may not support CSP. Setting both provides defense in depth. Use X-Frame-Options: DENY or SAMEORIGIN alongside CSP frame-ancestors for maximum compatibility.

What is a good Referrer-Policy value?

strict-origin-when-cross-origin is the recommended default — it sends only the origin (not full path/query) for cross-origin requests while preserving full referrer for same-origin navigation. Avoid unsafe-url which leaks the full URL to all origins, and no-referrer-when-downgrade which sends the full URL to HTTPS origins.

Related Tools

CSP Inspector

Analyze Content Security Policy directives for security weaknesses and generate hardened CSP recommendations

Security

CORS Policy Inspector

Analyze CORS headers for misconfigurations including wildcard origins, dangerous credential combinations, and overly permissive methods

Security

Environment Security Analyzer

Detect secrets, passwords, API keys, and credentials in .env files with automatic masking and security scoring

Security