TOOLS / HTTP HEADERS
HTTP Security Headers Checker
Fetch any HTTPS URL and grade its security-relevant response headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP).
What it does
Modern web-application security depends heavily on HTTP response headers. A missing Content-Security-Policy permits XSS exfiltration. A missing HSTS allows downgrade attacks. A missing X-Frame-Options enables clickjacking. Our checker fetches any URL with a server-side request, grades the security-relevant response headers against current best practice, and explains what each header should look like. No JavaScript executed — we only inspect the response headers.
How to use it
- Enter a URL (must use http:// or https://).
- Click "Check headers".
- Read the letter grade (A = excellent, F = critical gaps) and percentage score.
- For each missing header, the report shows what to add.
- Add the missing headers in your web server config (Nginx, Apache) or WAF/CDN edge.
Common use cases
Pre-launch security review
Before pushing a new site to production, verify all security headers are configured correctly.
Post-pentest verification
After a penetration test flagged missing headers, run this to confirm fixes are deployed.
Third-party vendor assessment
Quickly grade vendor portals for due diligence — missing CSP/HSTS is a red flag for vendor risk reviews.
Educate your team
Show developers what production-grade headers look like by checking respected sites.
Frequently asked questions
What does grade B mean? +
B = good but room for improvement. Typically you have HSTS, CSP, X-Frame-Options but lack the newer COOP/COEP/CORP triad needed for cross-origin isolation.
What is CSP? +
Content-Security-Policy. A header that tells browsers which sources (scripts, images, frames) are allowed to load. A strict CSP prevents the XSS payload from exfiltrating data even if injected.
Do I need COOP/COEP/CORP? +
Only if you use SharedArrayBuffer or specific browser features that require cross-origin isolation. For most marketing/blog sites, missing these doesn’t hurt much. For sensitive apps, add them.
What does "Information leakage" mean? +
Headers like Server: nginx/1.21.0 or X-Powered-By: PHP/8.2 tell attackers your stack version. Hide them.
Why is HSTS so important? +
Without HSTS, a man-in-the-middle attacker can downgrade your visitors’ connections from HTTPS to HTTP on first request, stealing session cookies.
Related tools
SSL / TLS Certificate Inspector
Inspect the cert chain, signature algorithm, expiry, SANs, and issuer of any TLS host.
Subdomain Finder
Passive enumeration via certificate transparency logs. No port scanning, no DNS brute-force.
WHOIS / RDAP Lookup
Modern WHOIS via RDAP. Registration date, registrar, nameservers, plus "newly registered" flag.
Related coverage on Ciphers Security
- Oracle Monthly Critical Security Patch Updates (CSPU) Guide: Runbook Changes and Verification Automation
- Underground Criminal Forums Are Drowning in AI-Generated Spam — and Cybercriminals Hate It
- ClaudeBleed: Claude Chrome Extension Flaw Lets Attackers Steal Gmail and GitHub Data
- SCA Tool EOL Dependency CVE Blind Spot Detection: What Snyk and Dependabot Miss
- UAT-8302 China APT Malware Analysis: Shared Implants, IOCs, and Detection Rules
Free for everyone, no signup required. Tool runs at /tools/http-headers-checker/ — bookmark or share.