Run this tool instantly in your browser. No signup and no server-side processing.

Security Header Analyzer

Analyze security headers with pass/warn/fail scoring and remediation guidance.

: 16/16 (100%)PASS 8WARN 0FAIL 0

Content-Security-Policy

pass

CSP present with safer baseline directives.

default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'

Strict-Transport-Security

pass

HSTS is configured with strong baseline.

max-age=31536000; includeSubDomains; preload

X-Frame-Options

pass

Anti-clickjacking policy is configured.

DENY

X-Content-Type-Options

pass

MIME-sniffing protection is enabled.

nosniff

Referrer-Policy

pass

Referrer policy is privacy-conscious.

strict-origin-when-cross-origin

Permissions-Policy

pass

Permissions-Policy is present.

camera=(), microphone=(), geolocation=()

Cross-Origin-Opener-Policy

pass

COOP is configured for isolation.

same-origin

Cross-Origin-Resource-Policy

pass

CORP header is present.

same-origin

Related Tools

CSP Parser & Analyzer

Parse Content Security Policy headers and analyze for security issues.

Header Diff

Compare HTTP headers side by side and highlight differences.

HTTP Status Codes

Searchable reference for all HTTP status codes with descriptions.

Certificate Decoder

Decode PEM-encoded X.509 certificates and inspect all details locally.

Security Header Analyzer: complete usage guide

Analyze HTTP security headers and receive pass/warn/fail scoring with remediation guidance for safer web deployments.

What this tool does

It parses raw response header blocks including optional status lines.

It evaluates critical security headers and classifies each as pass, warn, or fail.

It computes an overall security score with status counts.

It generates a copyable report with actionable remediation hints.

Typical use cases

Audit security header posture before production release.
Compare environment drift between staging and production responses.
Guide remediation tasks for CSP, HSTS, and related policies.
Include repeatable header-check evidence in security reviews.
Monitor regressions after CDN, proxy, or middleware changes.

Input examples

Raw headers

content-security-policy: ...\nstrict-transport-security: ...

Security sample

x-frame-options: DENY\nx-content-type-options: nosniff

Optional status line

HTTP/2 200

Output examples

Score

Score 14/18 with PASS/WARN/FAIL counts

Per-header assessment

CSP pass, HSTS warn, COOP fail with recommendations

Copy report

formatted security header summary for tickets and audits

Common errors and fixes

Headers pasted in non-standard format

Use one `name: value` pair per line.

False negatives from missing proxy headers

Capture final response headers from edge/prod path.

Score interpreted as compliance certification

Use score as guidance, not legal/compliance guarantee.

Outdated policy assumptions

Review recommendations against current browser support and org policies.

Copying incomplete report context

Include environment URL and timestamp with copied output.

Security and privacy notes

Header analysis is local and does not require server submission.
Redact sensitive proprietary headers before sharing outputs.
Store audit artifacts in approved security documentation systems.

Step-by-step workflow

Start with a minimal input for Security Header Analyzer and verify baseline behavior first.
Make assumptions explicit: encoding, delimiter strategy, and timezone.
Change one variable at a time and compare output diffs.
Keep one verified output snapshot as a team reference.

Quality checklist before sharing output

Confirm Security Header Analyzer output is deterministic across repeated runs with identical input.
Check boundary inputs (empty values, long fields, invalid characters).
Remove sensitive data before sharing output externally.
Verify final rendering on both desktop and mobile viewports.