free_tool
Security Headers Analyzer
Response headers are the cheapest security you can ship: a few lines that blunt whole classes of attack. Enter a URL and get a graded report of what your site sets and what it's missing, with the exact header to paste for each gap.
Enter a public URL. The request runs server-side and only reads response headers; nothing is stored.
The check runs server-side and reads response headers only; it doesn't store anything or test your site for vulnerabilities. A clean grade here means the headers are in place, not that the app is secure. It's the front door, not the whole building.
why_headers
A few headers, whole attack classes closed
A Content-Security-Policy turns a successful XSS into a no-op because the injected script has nowhere it's allowed to run. HSTS removes the window where a network attacker can downgrade a visitor to plain HTTP. A single nosniff stops the browser second-guessing your content types. None of these need an app rewrite.
The catch is that a strict CSP can break a real app if you bolt it on blindly, so the score here is the starting line. The work is shipping a policy that's tight enough to matter and loose enough that your site still loads.
faq
Questions & answers
- Which headers does the Security Headers Analyzer grade?
- It scores eight checks out of 100: Content-Security-Policy, Strict-Transport-Security, clickjacking protection via X-Frame-Options or CSP frame-ancestors, X-Content-Type-Options set to nosniff, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, and whether the server discloses version numbers. The weighted total maps to a letter grade from A to F.
- Does my browser contact the site I am checking?
- No. Your browser sends the URL to a server route, and that route fetches the target and returns the status and headers for scoring in your browser. The site you analyze never sees your IP or browser.
- How does it prevent the fetch from being abused?
- The server fetch only allows http and https on standard ports, blocks private, loopback, link-local and cloud-metadata IP ranges, revalidates every redirect hop, caps the response size, and times out. It also sends an honest user-agent so hosts can recognize it.
- Is the URL I check stored or logged?
- No. The server route has no database or logging, so the URL and results exist only in your browser session and are gone when you leave.
- Why does HSTS fail on my site?
- HSTS only passes when the site is served over HTTPS, because the header is not trusted on a plain HTTP response. If you added HSTS to an http site, that is why it does not register.
Want the rest of the surface looked at?
Headers are the start. I'll review auth, a CSP that won't break your app, dependency and infra hardening, and the things a header scan can't see. Book a call, or leave your email.
Prefer proof first? See how this plays out in real case studies →