Security Headers Analyser
Paste your HTTP headers and get an instant security assessment. Checks for HSTS, CSP, X-Frame-Options, and other critical security headers against OWASP and PCI-DSS requirements.
Enter HTTP security headers (one per line). Format: Header-Name: value. Max 32 KB.
What this tool checks
- HSTS (Strict-Transport-Security)
- CSP (Content-Security-Policy)
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
Export
Download results as PDF, CSV, or JSON.
Run the tool to enable exports.
Understanding Security Headers
Why do security headers matter?
Security headers are your first line of defence against many common web attacks. They tell browsers how to behave when handling your site's content, preventing attacks like XSS, clickjacking, and MIME-sniffing before they can even start.
Content Security Policy
CSP is perhaps the most powerful security header. It defines exactly which resources your page can load and execute. A properly configured CSP can prevent most XSS attacks by blocking inline scripts and unauthorized external resources.
HSTS and HTTPS
HSTS tells browsers to always use HTTPS when connecting to your site. Once set, browsers will refuse to connect over plain HTTP, protecting your users from downgrade attacks and accidental insecure connections.
Getting your headers
You can view any website's headers using browser developer tools (Network tab) or command line tools like curl. Try curl -I https://example.com to see headers for any site.