Loading
Preparing the page...
Loading
Preparing the page...
Paste your HTTP headers and get an instant security assessment. Checks for HSTS, CSP, X-Frame-Options, and other critical security headers against OWASP and PCI-DSS requirements.
Enter HTTP security headers (one per line). Format: Header-Name: value
What this tool checks
Download results as PDF, CSV, or JSON.
Run the tool to enable exports.
Security headers are your first line of defence against many common web attacks. They tell browsers how to behave when handling your site's content, preventing attacks like XSS, clickjacking, and MIME-sniffing before they can even start.
CSP is perhaps the most powerful security header. It defines exactly which resources your page can load and execute. A properly configured CSP can prevent most XSS attacks by blocking inline scripts and unauthorized external resources.
HSTS tells browsers to always use HTTPS when connecting to your site. Once set, browsers will refuse to connect over plain HTTP, protecting your users from downgrade attacks and accidental insecure connections.
You can view any website's headers using browser developer tools (Network tab) or command line tools like curl. Try curl -I https://example.com to see headers for any site.