DevTools
Language

Security Headers Checker

DevTools Security Headers Checker analyzes CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and related headers from pasted HTTP response text—find missing or weak policies.

Security Headers Checker

Paste HTTP response headers to find missing or misconfigured security-related headers.

Content-Security-Policy

Missing

Restricts script, style, and resource origins to mitigate XSS.

Strict-Transport-Security

Missing

Forces browsers to use HTTPS.

X-Frame-Options

Missing

Prevents clickjacking via third-party iframes.

X-Content-Type-Options

Missing

Blocks MIME sniffing.

Referrer-Policy

Missing

Controls referrer header leakage.

Permissions-Policy

Missing

Restricts powerful APIs like camera, mic, and geolocation.

About this tool

Security headers reduce XSS, clickjacking, and MIME sniffing risk. Paste output from curl -I or browser Network headers to score and improve your policy.

How to use

  1. Paste full HTTP response header text.
  2. Click Check Headers.
  3. Apply recommendations to strengthen your policy.

FAQ

What is CSP?

Content-Security-Policy limits which scripts, styles, and connections a page may load—a core defense against XSS.

What does HSTS do?

Strict-Transport-Security forces HTTPS-only access, helping prevent SSL stripping attacks.

Is my header text uploaded?

Analysis runs on the pasted text you provide; treat sensitive tokens carefully and redact secrets before pasting.

Is this tool free?

Yes. No sign-up required.

Related tools