DevToolKit

HTTP Headers Analyzer

Analyze HTTP response headers for any URL. Security scoring, CSP policy visualization, missing header recommendations, and HSTS preload status check.

Try:
Security-Focused Analysis

Enter any URL to analyze its HTTP response headers. The tool fetches headers through a secure proxy and scores security configuration across 8 critical headers including HSTS, CSP, X-Frame-Options, and COOP. Content-Security-Policy directives are parsed into a visual breakdown.
Was this tool helpful?

How to Use

Analyze HTTP security headers for any website in three steps:

  1. Enter a URL — Type or paste any website URL into the input field. Quick-try buttons are provided for popular sites. The tool accepts both http:// and https:// URLs. If you omit the protocol, https:// is added automatically.
  2. Review the security grade — The tool assigns a grade from A+ to F based on the presence and configuration of critical security headers. Each header is checked individually with pass/fail indicators and descriptions of what it protects against.
  3. Explore header details — All response headers are displayed in a searchable table. If a Content-Security-Policy (CSP) header is present, it's parsed into a readable table showing which domains are allowed for scripts, styles, images, and other resource types. Missing headers are listed with recommendations.

The analysis is performed by a Cloudflare Worker that sends a HEAD request to the target URL. Only publicly accessible HTTP headers are examined — no content is downloaded or stored.

About This Tool

Security Headers Explained

HTTP security headers are response headers that instruct browsers to enable or restrict specific behaviors, forming a defense-in-depth layer against common web attacks. Strict-Transport-Security (HSTS) forces HTTPS connections and prevents SSL stripping attacks. Content-Security-Policy (CSP) restricts which domains can serve scripts, styles, and other resources, mitigating cross-site scripting (XSS). X-Content-Type-Options prevents MIME type sniffing attacks. X-Frame-Options blocks clickjacking by preventing the page from being embedded in iframes.

Referrer-Policy controls how much URL information is sent to other sites when a user navigates away. Permissions-Policy (formerly Feature-Policy) restricts browser APIs like camera, microphone, and geolocation. Cross-Origin-Opener-Policy (COOP) isolates the browsing context from cross-origin popups to prevent Spectre-class attacks. Each missing header represents a potential attack vector.

Content-Security-Policy Parsing

CSP is the most complex security header, often spanning hundreds of characters. The tool parses it into individual directives (script-src, style-src, img-src, etc.) and displays each with its allowed sources. Unsafe keywords like 'unsafe-inline' and 'unsafe-eval' are flagged as security risks. The default-src directive serves as a fallback for any directive not explicitly set.

How the Proxy Works

Browsers enforce CORS (Cross-Origin Resource Sharing) restrictions that prevent JavaScript from reading response headers from other domains. To work around this, the tool sends the URL to a Cloudflare Worker that performs a HEAD request on your behalf. The Worker follows redirects (up to the server's redirect chain), reads the response headers, and returns them as JSON. Private/internal IP addresses (127.0.0.1, 10.x, 192.168.x) are blocked to prevent Server-Side Request Forgery (SSRF). Requests time out after 10 seconds.

Scoring Methodology

The security grade is calculated by checking for 8 critical headers and their configurations. Full points are awarded for each present header, with bonus points for strong configurations: HSTS with max-age over 31536000 (1 year) and includeSubDomains, CSP without unsafe-inline or unsafe-eval, and strict Referrer-Policy values. The methodology is inspired by SecurityHeaders.com and Mozilla Observatory. Related developer tools include JSON Formatter and DNS Lookup.

Why Use This Tool

Security Audit Your Website

Security headers are one of the easiest and most impactful security improvements for any website. Adding headers like HSTS, CSP, and X-Content-Type-Options takes minutes to configure but blocks entire classes of attacks. This tool provides an instant audit with actionable recommendations — no account signup or installation required.

Common Use Cases

  • Pre-deployment check: Before launching a website or web application, verify that all security headers are configured correctly. Missing headers are easy to overlook during development.
  • Competitor analysis: Compare your security posture against competitors or industry leaders. Enter their URLs to see what headers they implement and learn from their configurations.
  • CSP debugging: Content-Security-Policy headers are notoriously difficult to write correctly. The CSP visualization helps you understand what your current policy allows and identify overly permissive rules.
  • Compliance verification: Many security frameworks (PCI DSS, SOC 2, OWASP Top 10) recommend or require specific security headers. Use this tool to verify compliance.
  • Client reporting: Generate a quick security header assessment for client websites. The grade system provides a clear, understandable summary for non-technical stakeholders.

No Installation Required

Command-line tools like curl -I show raw headers but don't analyze them. Browser DevTools show headers but require navigating to the site first. This tool provides both the raw data and the security analysis in one view, accessible from any device with a browser. Related tools include DNS Lookup, JSON Formatter, URL Parser, and User Agent Parser.

FAQ

How does the security scoring work?
The tool checks for 8 critical security headers: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and Cross-Origin-Opener-Policy. Each present header adds points, with bonus points for strong configurations like HSTS max-age over 1 year.
What is Content-Security-Policy (CSP)?
CSP is a security header that tells browsers which sources of content are allowed to load. It prevents cross-site scripting (XSS) attacks by restricting where scripts, styles, images, and other resources can come from. The tool parses CSP directives into a readable table showing allowed sources per content type.
Are the target website's headers cached?
No. Each analysis performs a fresh HEAD request through our Cloudflare Worker proxy. Headers are fetched in real-time and not stored. The proxy follows up to 20 redirects to analyze the final destination.
Why can't I analyze localhost or internal URLs?
For security, the proxy blocks requests to private IP ranges (127.0.0.1, 10.x, 172.16.x, 192.168.x) and localhost. This prevents Server-Side Request Forgery (SSRF) attacks.
NavigateOpenEscClose