Analyze HTTP response headers for security best practices. Check Content-Security-Policy, HSTS, X-Frame-Options, and more — with scores and recommendations.
Security Score
HTTP Header Analyzer is a free tool that evaluates HTTP response headers for security best practices. Paste your server's response headers and instantly get a security score, detailed recommendations for missing or misconfigured security headers, and descriptions of every header present. It checks for Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
Use this tool during security audits, before production deployments, or as part of regular security reviews. It is particularly useful for web developers configuring server responses, security engineers evaluating application hardening, and DevOps teams setting up CDN or reverse proxy configurations. It complements automated scanners by providing clear, actionable recommendations.
Security teams use this tool to audit web application headers before penetration tests, verify that Content-Security-Policy is correctly configured after changes, ensure HSTS is properly set up with sufficient max-age, check that clickjacking protections (X-Frame-Options) are in place, and document header configurations for compliance requirements. Developers use it to quickly identify which security headers are missing from their server responses.
Essential terms and definitions related to HTTP Header Analyzer.
An HTTP response header that controls which resources (scripts, styles, images, fonts, etc.) the browser is allowed to load for a page. CSP is the primary defense against Cross-Site Scripting (XSS) attacks by preventing execution of unauthorized scripts. A well-configured CSP significantly reduces the attack surface of a web application.
A security header (Strict-Transport-Security) that tells browsers to always connect to the site using HTTPS, even if the user types http://. It prevents protocol downgrade attacks and cookie hijacking. The max-age directive specifies how long the browser should remember to enforce HTTPS.
An HTTP header that controls whether a page can be embedded in an iframe. Values are DENY (never allow framing), SAMEORIGIN (allow only from the same origin), or ALLOW-FROM uri (allow from a specific origin). This header prevents clickjacking attacks where a malicious site embeds your page in a hidden frame to trick users into clicking.
You can get HTTP headers using browser DevTools (Network tab → click request → Headers), cURL (curl -I https://example.com), or any HTTP client. Copy the response headers and paste them into this tool for analysis.
At minimum: Content-Security-Policy (prevents XSS), Strict-Transport-Security (enforces HTTPS), X-Content-Type-Options: nosniff (prevents MIME sniffing), X-Frame-Options (prevents clickjacking), and Referrer-Policy (controls referrer information). The analyzer checks for all of these and provides specific recommendations.
A score of 100% means all recommended security headers are present and properly configured. However, security is not binary — the headers are one layer of defense. A high score indicates good header hygiene, but comprehensive security also requires proper backend validation, authentication, and other measures.
This tool analyzes headers you paste into it — it does not make HTTP requests to external URLs. This design ensures your analysis is completely private and works without CORS restrictions.
Common errors developers encounter and how to resolve them.
Headers not parsed correctly Ensure headers are in the standard HTTP format: "Header-Name: value" with one header per line. Remove any HTTP status lines (like "HTTP/1.1 200 OK") before the headers, or include them — the parser handles both formats.
Low security score despite having security headers The analyzer checks not just for header presence but also for proper configuration. For example, a Content-Security-Policy with "unsafe-inline" or "unsafe-eval" directives reduces the score because these weaken CSP protection. Check the specific recommendations for each header.
Unknown or custom headers not recognized The analyzer focuses on standard security and common HTTP headers. Custom application headers (like X-App-Version) are displayed but not scored. This is expected behavior — only headers with security implications affect the score.