Security Headers Checker

Check a URL for missing or risky security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP) and analyze cookie flags (Secure, HttpOnly, SameSite). Follow redirects to the final destination, export JSON/PDF reports, and get actionable hardening recommendations.

Loading…

About Security Headers Checker

Modern web security is largely enforced by HTTP response headers. This tool fetches a URL (optionally following redirects) and audits the key hardening headers that reduce XSS, clickjacking, MIME sniffing, insecure transport, and cross-origin isolation issues. It also reviews Set-Cookie attributes to catch common gaps like missing Secure/HttpOnly/SameSite, or SameSite=None without Secure.

Features

  • Follow redirects to audit the final HTTPS destination (recommended for real-world deployments).
  • Checks required hardening headers: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.
  • Checks recommended modern headers: COOP, COEP, CORP, Origin-Agent-Cluster, and additional hardening signals when present.
  • Cookie analysis for Set-Cookie flags: Secure, HttpOnly, SameSite; warns about SameSite=None without Secure.
  • CSP analysis: highlights unsafe-inline, unsafe-eval, wildcard sources, missing defensive directives (default-src, object-src, base-uri, frame-ancestors), and report-only caveats.
  • Flags deprecated or risky headers (e.g., X-XSS-Protection) and information leakage headers (e.g., Server, X-Powered-By).
  • Copy/shareable findings for security reviews, pentest reports, or bug tickets.
  • Download reports as JSON or PDF for audits, compliance evidence, and regression tracking.

🧭 How to use for security-headers-checker

1

Paste the URL you want to audit

Enter the full URL (preferably https://…). The tool evaluates the response headers returned by that endpoint.

2

Enable “Follow Redirects” (recommended)

Many sites redirect http→https and non-www→www (or vice versa). Following redirects audits the final destination users and bots actually reach.

3

Choose whether to show raw headers

Enable “Show Raw Headers” if you want the original header lines for debugging (great for CDNs, reverse proxies, and framework defaults).

4

Review findings and prioritize fixes

Focus first on transport security (HSTS), anti-XSS (CSP), clickjacking (frame protections), cookie flags, and cross-origin isolation (COOP/COEP/CORP) where applicable.

5

Export a report for tracking

Download JSON/PDF to attach to tickets, compare changes over time, or add checks to CI for regressions.

Technical specs

What this tool checks

The checker focuses on modern, high-impact response headers and cookie attributes used for browser-enforced security controls.

AreaSignals checkedWhy it matters
Transport securityStrict-Transport-Security (HSTS)Forces HTTPS and helps prevent SSL stripping on subsequent visits.
XSS mitigationContent-Security-Policy (CSP) + common pitfallsRestricts script/style sources and reduces XSS impact when correctly configured.
ClickjackingX-Frame-Options and/or CSP frame-ancestorsPrevents your pages from being framed by other origins.
MIME sniffingX-Content-Type-Options: nosniffStops browsers from guessing content types in risky ways.
Referrer leakageReferrer-PolicyControls how much referrer info is sent to other sites.
Permissions controlPermissions-PolicyRestricts powerful features (camera, mic, geolocation, etc.) at the browser level.
Cross-origin isolationCOOP / COEP / CORP (and related)Needed for advanced security isolation and some high-performance APIs.
CookiesSet-Cookie flags: Secure, HttpOnly, SameSiteReduces session theft risk and mitigates CSRF when correctly configured.
Risky/deprecatedX-XSS-Protection, Server, X-Powered-By (when present)Deprecated controls or info leakage that can aid attackers.

Request behavior and limits

The audit runs server-side and can follow redirects to match real navigation behavior.

SettingBehaviorDefault
Follow RedirectsFollows up to a capped number of redirectsEnabled
Max RedirectsMaximum redirects when following is enabled10
TimeoutRequest timeout15000 ms
User-AgentRequest identification headerEncode64Bot/1.0 (+[https://encode64.com](https://encode64.com))
Private networksBlocks private-network targetsNot allowed

Interpreting results correctly

A “passing” header scan is not the same as “secure.” Headers are one layer. The goal is to reduce the blast radius of common classes of issues and enforce safer browser defaults.

Use this report as a baseline hardening checklist. Still audit authentication, authorization, input validation, dependency vulnerabilities, and server configuration.

Command line

Use curl to replicate what the checker does and validate headers quickly during debugging or CI.

macOS / Linux

Fetch response headers

curl -I [https://example.com](https://example.com)

Shows the top-level headers returned by the endpoint.

Follow redirects and show headers

curl -IL [https://example.com](https://example.com)

Useful to confirm the final destination headers after redirects.

Inspect Set-Cookie lines

curl -sI [https://example.com](https://example.com) | grep -i '^set-cookie:'

Helps verify Secure/HttpOnly/SameSite attributes.

Windows (PowerShell)

Fetch response headers

(Invoke-WebRequest -Uri [https://example.com](https://example.com) -Method Head).Headers

Prints the returned headers in PowerShell.

Always test both your HTML pages and critical API endpoints: they often have different middleware stacks and therefore different header sets.

Use cases

Security hardening baseline for a web app

Establish a minimum header baseline and catch missing headers after deployments, proxy/CDN changes, or framework upgrades.

  • Verify HSTS is present on production HTTPS
  • Ensure clickjacking protections are enabled for authenticated pages

Cookie and session safety review

Validate that session cookies are sent with Secure/HttpOnly/SameSite and detect common misconfigurations.

  • Catch SameSite=None without Secure
  • Confirm HttpOnly is set on session tokens

CSP quality and XSS risk reduction

Identify high-risk CSP patterns and prioritize fixes that materially reduce XSS impact.

  • Remove unsafe-inline and adopt nonce/hash strategy
  • Add frame-ancestors and base-uri for stronger defaults

CDN / reverse proxy regression checks

Detect when a CDN, load balancer, or proxy strips or duplicates headers.

  • Verify security headers survive Cloudflare/Varnish/Nginx changes
  • Ensure redirects do not drop HSTS on final destination

❓ Frequently Asked Questions

Why are security headers important?

They enforce browser-side security controls that reduce the impact of common web attacks like XSS, clickjacking, and mixed-content or downgrade issues. They also set safer defaults for cookies and cross-origin behavior.

Should I enable “Follow Redirects”?

Usually yes. Real users and crawlers end up at the final URL after redirects, and that’s where the effective headers matter. Redirect chains can hide missing headers on the final destination.

Is CSP required for every site?

It’s strongly recommended for sites with user sessions or dynamic content. Even a basic CSP can reduce XSS risk, but CSP should be tested carefully to avoid breaking scripts and third-party integrations.

Why is X-XSS-Protection flagged as deprecated or risky?

It’s obsolete in modern browsers and in some historical cases could introduce unexpected behavior. Focus on CSP and safe coding practices instead.

What’s a common HSTS mistake?

Enabling HSTS on HTTPS but forgetting to serve HTTPS consistently (or missing it on the canonical host). Another common mistake is adding preload directives without fully meeting the preload requirements.

Can headers alone secure my application?

No. Headers are a hardening layer. You still need secure coding, dependency management, authentication/authorization correctness, and robust server configuration.

Pro Tips

Best Practice

Audit both the landing HTML and your API endpoints. They often have different middleware and can silently diverge in header coverage.

CI Tip

Run a redirect-chain check: confirm the final destination sets the strongest headers (especially HSTS and CSP).

Security Tip

Treat cookies as part of your security perimeter: Secure + HttpOnly + appropriate SameSite should be your default for session cookies.

Security Tip

For CSP, prioritize removing unsafe-inline/unsafe-eval and adopting nonces or hashes. This is usually the biggest real-world security gain.

Security Tip

Avoid leaking server details. Remove or minimize Server / X-Powered-By where feasible to reduce fingerprinting.

CI Tip

Add a regression test in CI that fails deployments if critical headers disappear (proxy/CDN changes cause this more often than people expect).

Additional Resources

OWASP Secure Headers Project
Documentation
MDN: Content Security Policy (CSP)
Documentation
MDN: Strict-Transport-Security (HSTS)
Documentation
MDN: Set-Cookie
Documentation
MDN: Permissions-Policy
Documentation

Other Tools

Security Headers Checker — audit CSP, HSTS, cookies, and hardening headers | Encode64