Paste raw headers from curl, browser DevTools, or any HTTP response
Ready to analyze
Paste headers and click Check Headers// validate browser security headers instantly
Validate HTTP security headers from pasted responses. Check CSP, HSTS, X-Frame-Options, and more — free, browser-based, no sign-up.
Ready to analyze
Paste headers and click Check HeadersUse curl -I https://yoursite.com or open DevTools → Network → click any request → Response Headers.
Paste the raw header block into the input field and click Check Headers.
Each header shows a status, severity, and a specific recommendation to improve your security posture.
HTTP security headers are server directives that instruct browsers to enable built-in protections. Missing or misconfigured headers are a leading cause of XSS, clickjacking, MIME sniffing, and data leakage vulnerabilities.
You can get them several ways: run curl -I https://yoursite.com in a terminal; open Chrome/Firefox DevTools → Network tab → click any request → scroll to "Response Headers"; or use a tool like Postman to inspect responses.
CSP is a powerful header that tells the browser which sources of scripts, styles, images, and other resources are allowed. A well-configured CSP is the single most effective defense against Cross-Site Scripting (XSS) attacks.
No. All analysis happens entirely in your browser using JavaScript. Your headers are never transmitted to any server, making this tool safe for use with production or sensitive environments.
The score (0–100) reflects how many critical and important security headers are present and correctly configured. A score above 80 is good; below 50 indicates serious gaps that should be addressed promptly.
HTTP Strict Transport Security (HSTS) forces browsers to always use HTTPS for your domain. Yes, you should enable it — but only after confirming your entire site is served over HTTPS, otherwise it can lock users out.
It prevents your page from being embedded in an iframe on another domain, protecting against clickjacking attacks. The recommended value is DENY or SAMEORIGIN. Modern browsers prefer the frame-ancestors CSP directive instead.
Not directly — you need to paste the raw headers. This is intentional: fetching live URLs from the browser is restricted by CORS. Use curl -I <url> to grab headers and paste them here.
Permissions-Policy (formerly Feature-Policy) controls which browser APIs and features — like camera, microphone, geolocation — your page and its iframes can access. Restricting unused features reduces your attack surface.
HTTP security headers are a set of response directives sent by a web server that instruct the browser on how to behave when handling your site's content. Unlike application-level security measures, these headers operate at the transport layer — enforced by the browser itself before any JavaScript runs. This makes them a critical, lightweight, and highly effective layer of defense.
When correctly configured, security headers can prevent or significantly mitigate a wide range of attacks including Cross-Site Scripting (XSS), clickjacking, MIME sniffing, cross-origin data leakage, and protocol downgrade attacks. Despite their importance, security headers are frequently misconfigured or entirely absent on production websites.
💡 Looking for premium web development assets? MonsterONE offers unlimited downloads of templates, UI kits, and security-focused assets — worth checking out.
Understanding what each header does is the first step to implementing them correctly. Here is a breakdown of the headers this tool validates:
HSTS tells browsers to only communicate with your server over HTTPS, even if the user types http:// in the address bar. The max-age directive specifies how long (in seconds) the browser should remember this policy. Including includeSubDomains extends protection to all subdomains. A recommended value is max-age=31536000; includeSubDomains. Never enable HSTS until you are certain your entire site is HTTPS-ready.
CSP is arguably the most powerful security header available. It defines a whitelist of trusted sources for every type of content your page can load — scripts, styles, images, fonts, frames, and more. A strict CSP stops XSS attacks cold by preventing injected scripts from executing. Building a good CSP requires careful thought about what your application actually needs, but even a simple default-src 'self' offers substantial protection.
This header prevents your page from being embedded inside an <iframe> on another domain. Clickjacking attacks trick users into clicking hidden, overlaid elements — X-Frame-Options blocks the mechanism entirely. Use DENY to block all framing, or SAMEORIGIN to allow only same-origin frames. Note that the CSP frame-ancestors directive is the modern equivalent and should be preferred.
Setting this header to nosniff prevents browsers from MIME-type sniffing — a behavior where the browser guesses a file's content type regardless of what the server declares. MIME sniffing can cause browsers to execute malicious files disguised as harmless content types. This is a simple, zero-configuration header that should be on every site.
Controls how much referrer information is sent with requests. Without this header, the full URL (including paths and query strings) of your pages can be leaked to third-party sites. Recommended values include strict-origin-when-cross-origin or no-referrer depending on your analytics requirements.
Formerly known as Feature-Policy, this header lets you restrict which powerful browser APIs — camera, microphone, geolocation, USB, payment — are available to your page and embedded iframes. The principle of least privilege applies: disable anything you don't use.
Achieving a strong security header score requires addressing each of the critical headers. Start with the highest-severity gaps — typically HSTS and CSP — since these offer the greatest risk reduction. HSTS can be enabled with a single server configuration line. CSP requires more planning but can be built iteratively: start in report-only mode using Content-Security-Policy-Report-Only, watch the violation reports, then tighten the policy over time.
For Apache servers, security headers can be set in .htaccess using the Header always set directive. For Nginx, use the add_header directive in your server block. Node.js applications often use the Helmet middleware to manage these headers automatically.
While Google does not directly use security headers as a ranking factor, their presence correlates strongly with site trustworthiness and HTTPS adoption — both of which do influence rankings. More importantly, browsers like Chrome display security warnings for sites with missing HSTS or insecure mixed content, which increases bounce rates and indirectly harms SEO performance.
unsafe-inline in CSP — this negates the primary XSS protection CSP provides.mode=block — the bare value without mode can create new vulnerabilities in older browsers.no-store to prevent caching of private data in shared environments.After adding or updating security headers, use this tool to verify the response headers are correct. You can also run curl -I -L https://yoursite.com from a terminal to see exactly what headers are returned. For ongoing monitoring, consider setting up automated header checks as part of your CI/CD pipeline to prevent regressions when server configuration changes.