Copy headers from browser DevTools → Network tab → Response Headers, or from curl -I output
Ready to analyze
Paste headers and click Analyze// paste headers → detect misconfigs in one click
Paste HTTP response headers to instantly check for missing security headers, misconfigurations, and vulnerabilities. Free, browser-based, no upload needed.
Ready to analyze
Paste headers and click AnalyzeOpen browser DevTools → Network tab → click any request → Response Headers. Or run curl -I https://yoursite.com in terminal.
Paste the raw header block into the input field and click Analyze Headers.
Review Critical and Warning items. Each finding includes what the header does and how to fix it in Apache, Nginx, or your app server.
The HTTP Header Analyzer checks your server's response headers against security best practices. Missing or misconfigured headers are one of the most common and easiest-to-fix web vulnerabilities. This tool helps developers and sysadmins quickly identify gaps without sending data to any external server.
Open Chrome or Firefox DevTools (F12), go to the Network tab, reload your page, click the first request (usually the HTML document), then click the "Headers" sub-tab and scroll to "Response Headers". You can also run curl -I https://yoursite.com from a terminal to get them.
No. All analysis runs entirely in your browser using JavaScript. Your headers never leave your machine. The optional URL fetch uses a public CORS proxy, but the actual analysis of the retrieved headers still happens client-side only.
HSTS tells browsers to only connect to your site over HTTPS, even if the user types http://. Without it, users can be downgraded to HTTP by man-in-the-middle attacks. The recommended value is max-age=31536000; includeSubDomains; preload.
CSP is your primary defense against Cross-Site Scripting (XSS) attacks. It tells the browser which sources of scripts, styles, images, and other resources are trusted. A missing or overly permissive CSP (like default-src *) can allow attackers to inject malicious scripts into your pages.
Add header directives inside your server {} block in your Nginx config: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;. The always keyword ensures the header is sent even on error responses. Reload Nginx after editing.
Enable mod_headers with a2enmod headers, then add directives to your .htaccess or VirtualHost config: Header always set X-Content-Type-Options "nosniff". Restart Apache after changes.
It prevents your site from being embedded in an <iframe> on another domain, protecting against clickjacking attacks. Use DENY to block all framing, or SAMEORIGIN to allow framing only from your own domain. Modern CSP's frame-ancestors directive is the preferred replacement.
A score of 80+ is considered good for most sites. A score of 100 requires implementing all recommended headers including CSP, HSTS, Permissions-Policy, and the Cross-Origin headers (COEP, COOP, CORP). Security-sensitive sites like banking or healthcare should target 90+.
HTTP security headers are a set of response headers that web servers send to browsers to instruct them on how to behave when handling your site's content. Unlike application-level security measures such as input validation or SQL injection prevention, security headers work at the transport layer — they tell the browser itself what it's allowed to do.
These headers are one of the most overlooked aspects of web security. They're free to implement, don't require code changes to your application, and can prevent entire classes of attacks including Cross-Site Scripting (XSS), clickjacking, MIME sniffing, and protocol downgrade attacks.
💡 Looking for professional web development assets? MonsterONE offers unlimited downloads of templates, UI kits, and security-hardened themes — great for launching secure sites faster.
Strict-Transport-Security (HSTS) is arguably the most important security header for any site that uses HTTPS — which should be all of them. When a browser sees this header, it remembers to always use HTTPS for your domain for the specified duration (max-age), even if the user types http://. This prevents SSL stripping attacks where an attacker downgrades a connection to plain HTTP. The includeSubDomains directive extends this protection to all subdomains, and preload can get your domain included in browser-bundled HSTS lists.
Content-Security-Policy (CSP) is the most powerful — and most complex — security header. It defines a whitelist of approved content sources for your page: which scripts can run, which stylesheets can load, which images can be fetched, and so on. A well-configured CSP is your strongest defense against XSS attacks. However, a misconfigured one (using unsafe-inline or wildcard sources like *) can provide a false sense of security. Use our CSP Generator to build a proper policy.
X-Content-Type-Options: nosniff is a simple, one-value header that prevents browsers from MIME-sniffing responses away from the declared Content-Type. Without it, if an attacker uploads a JavaScript file disguised as an image, some browsers might execute it. With nosniff, the browser trusts the Content-Type header and won't execute files that don't match.
X-Frame-Options prevents your pages from being embedded in iframes on other domains. This defends against clickjacking attacks, where an attacker overlays your site in a transparent iframe on their malicious page and tricks users into clicking buttons they can't see. The modern replacement for this header is the CSP frame-ancestors directive, but X-Frame-Options still provides broad browser support as a fallback.
Referrer-Policy controls how much referrer information is included in requests. When a user clicks a link from your site, the destination server sees the full URL the user came from. This can leak sensitive URL parameters (like session tokens or user IDs). Setting Referrer-Policy: strict-origin-when-cross-origin or no-referrer limits this information leakage.
Permissions-Policy (formerly Feature-Policy) controls which browser features and APIs your page is allowed to use — things like the camera, microphone, geolocation, payment requests, and USB access. By explicitly declaring which features you need, you limit the damage an injected script could do even if it bypasses your CSP.
Not all header issues are about missing headers. Some common headers leak information that can help attackers. The Server header often reveals your web server software and version (e.g., Apache/2.4.51 (Ubuntu)). This gives attackers a precise target for known vulnerabilities. Removing or obfuscating this header is a simple hardening step. Similarly, the X-Powered-By header (common in PHP and Express.js apps) reveals your backend technology stack. Both should be removed or replaced with a generic value.
Three newer headers work together to provide cross-origin isolation, which is required to use powerful browser APIs like SharedArrayBuffer and high-resolution timers securely:
require-corp ensures that all resources loaded by your page explicitly opt in to being loaded cross-origin.same-origin isolates your browsing context, preventing other origins from accessing your window object.You can retrieve response headers directly from your terminal using curl:
curl -I https://yoursite.comFor a more verbose output that includes the full response, use:
curl -v https://yoursite.com 2>&1 | grep -E "^[<>]"Copy the output and paste it directly into this tool for instant analysis.
Most modern web frameworks have dedicated middleware or packages for security headers. In Node.js with Express, the helmet package sets sensible defaults for all major security headers with a single line. In Laravel (PHP), the Bepsvpt/secure-headers package provides similar functionality. Django has django-csp for Content Security Policy. Even if your framework doesn't have a dedicated package, you can set headers directly on your responses or at the reverse proxy layer (Nginx or Apache) for any application.
This tool assigns points based on the presence and quality of security headers. Critical headers like HSTS and CSP carry the most weight — missing them costs the most points. Warning-level headers like X-Frame-Options and Referrer-Policy carry moderate weight. Info-level headers and informational leakage issues (like the Server header) carry less weight but still contribute to your overall score. A score of 100 requires all recommended headers to be present and correctly configured with no information leakage.