What is Content-Security-Policy (CSP)?

Content-Security-Policy is a security header that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying which content sources are allowed to load. A well-configured CSP significantly reduces the attack surface of your web application.

What is HSTS and why is it important?

HTTP Strict Transport Security (HSTS) tells browsers to only connect to your site using HTTPS, preventing man-in-the-middle attacks and protocol downgrade attacks. With HSTS, even if a user types http://, their browser will automatically use HTTPS.

How is the security score calculated?

The security score is a weighted average of individual header scores. Critical headers like CSP (25%) and HSTS (20%) have higher weight, while informational headers like Expect-CT have lower weight. Each header is scored based on its presence and configuration quality.

What do the letter grades mean?

Grades reflect your overall security posture: A+ (95+) means exceptional security, A (85-94) is excellent, B (75-84) is good but needs improvement, C (65-74) is moderate with several issues, D (50-64) is weak, and F (below 50) indicates critical security problems.

Can I paste headers instead of scanning a URL?

Yes! You can switch to "Paste Headers" mode and enter raw HTTP headers directly. This is useful for testing headers from development environments, analyzing headers from curl output, or checking headers when the site is not publicly accessible.

How do I add security headers to my website?

Security headers are typically configured in your web server (Nginx, Apache), CDN (Cloudflare, AWS CloudFront), or application framework. The tool provides specific recommendations and example configurations for each missing or weak header.

Does this tool detect Cloudflare?

Yes, the tool automatically detects if a site is using Cloudflare based on response headers. When Cloudflare is detected, you will see specific guidance on how to configure security headers through the Cloudflare dashboard using Transform Rules.

Home/Tools/Security/Security Headers Analyzer

Security Headers Analyzer

Analyze HTTP security headers for any website. Check Content-Security-Policy, HSTS, X-Frame-Options, and more. Get a security score and actionable recommendations to improve your web security.

Analyze URL

Paste Headers

Enter Website URL

Quick test:GitHubGoogleMozilla

Ready to take this to the next level?

Our team can help implement enterprise-grade solutions. Get personalized recommendations in a free 30-minute consultation.

Schedule Free Consultation See How We Help

Understanding HTTP Security Headers

HTTP security headers are response headers that web servers send to browsers to enable security features and prevent common web vulnerabilities. Properly configured headers can protect against XSS, clickjacking, MIME-type sniffing, and other attacks.

Essential Security Headers

Header	Purpose	Priority
Content-Security-Policy	Prevents XSS and code injection	Critical
Strict-Transport-Security	Enforces HTTPS connections	Critical
X-Frame-Options	Prevents clickjacking	High
X-Content-Type-Options	Prevents MIME sniffing	High
Referrer-Policy	Controls referrer information	Medium

Content Security Policy (CSP)

CSP is the most powerful security header, allowing you to control which resources can be loaded on your page. A well-configured CSP can prevent most XSS attacks by blocking inline scripts and limiting script sources.

Example CSP Header:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'

HSTS Configuration

HSTS should be configured with a max-age of at least 31536000 (1 year) and include the includeSubDomains directive. For additional security, consider adding your domain to the HSTS preload list.

Recommended HSTS Header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Cross-Origin Headers (COOP, COEP, CORP)

The newer cross-origin headers enable cross-origin isolation, which is required for some browser features like SharedArrayBuffer. However, they can break third-party integrations, so test carefully before deploying.

COOP

Cross-Origin-Opener-Policy isolates your browsing context from cross-origin windows.

COEP

Cross-Origin-Embedder-Policy requires all resources to opt-in to being loaded.

CORP

Cross-Origin-Resource-Policy controls who can load your resources.

Frequently Asked Questions

Common questions about the Security Headers Analyzer

This tool analyzes 13 key security headers: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Resource-Policy (CORP), Expect-CT, X-XSS-Protection, X-Permitted-Cross-Domain-Policies, and X-DNS-Prefetch-Control.

Explore More Tools

Continue with these related tools

Security

SSL Checker

Analyze SSL/TLS certificates and protocol support

Try it now

Security

CSP Generator

Generate Content Security Policy headers

Try it now

Network

DNS Lookup

Query DNS records for any domain

Try it now

Network

WHOIS Lookup

Get domain registration information

Try it now

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.