HTTP Header Analyzer

Paste a block of HTTP response headers and get a per-header explanation plus an overall security grade. Works on internal, staging, and private URLs because nothing here touches the network.

🔍 Want to see your own browser's request headers instead? Try the HTTP Request Inspector →

Headers (one per line, Name: value)

How the grade is calculated

The five "critical" security headers

The grade is built around five headers that every modern public web app should send. Missing one is a one-grade penalty; missing several stacks up:

Strict-Transport-Security: forces HTTPS for future visits. Required for any site that handles user data over HTTPS.
Content-Security-Policy: tells the browser what scripts/styles/connections are allowed. The single strongest defense against XSS.
X-Frame-Options (or frame-ancestors in CSP): prevents the page from being framed by an attacker site. Stops clickjacking.
X-Content-Type-Options: nosniff: stops the browser from "MIME-sniffing" a file's type and treating non-script content as script.
Referrer-Policy: controls how much of the previous URL is sent when leaving your site.

"Soft" deductions

Some configurations are present but suboptimal. These take small chunks off the grade rather than full letter drops:

HSTS with a max-age shorter than 1 year.
CSP that uses 'unsafe-inline' or 'unsafe-eval'.
Server or X-Powered-By headers exposing version numbers.
Cookies missing Secure, HttpOnly, or SameSite.

What this won't catch

Headers tell you about the configuration but not about the rendered page. A site can have a perfect header grade and still have application-layer vulnerabilities (broken auth, IDOR, SQL injection, etc.). Use this alongside a real test of the application, not in place of one.