Paste the HTTP response headers from any site and get a graded, plain language report. It checks the headers that matter, then explains what each one does, where it is weak, and exactly how to fix it.
HTTP security headers are one of the highest leverage defenses you can add to a web application. They cost almost nothing to deploy and they instruct the browser to refuse a whole class of attacks before your code ever runs. This analyzer reads the headers you paste and grades them against the checks that carry real weight, drawing on the OWASP Secure Headers Project and the relevant web platform specifications.
Forces the browser to use HTTPS for every future request to your domain, which shuts down protocol downgrade and cookie stealing over plain HTTP. A strong value sets a long max-age, adds includeSubDomains, and ideally preload.
The single most important and most misconfigured header. A good policy controls which sources may run scripts, which is your strongest in browser brake on cross site scripting. The analyzer parses your policy directive by directive and flags the patterns that let an attacker walk straight through it, such as unsafe-inline, unsafe-eval, and wildcard sources.
Decide whether your pages can be loaded inside a frame on another site. Without one of these, an attacker can overlay your page invisibly and trick a user into clicking, the attack known as clickjacking. Modern policy uses the CSP frame-ancestors directive, with X-Frame-Options as a fallback for old browsers.
X-Content-Type-Options: nosniff stops the browser from guessing a response is a script when it should not be. Referrer-Policy controls how much of your URL leaks to other sites and is a quiet but real privacy lever, in the same family as the data exposure covered in how browser fingerprinting works. Permissions-Policy turns off browser features like the camera or geolocation that your site does not use.
The tool also inspects any Set-Cookie headers for the Secure, HttpOnly, and SameSite flags, because a session cookie that scripts can read or that rides over plain HTTP undoes a lot of the protection above. It is the same parent domain trust that makes a subdomain takeover so damaging. Finally it notes headers like Server and X-Powered-By that hand an attacker your exact software versions for free.
Each graded header contributes a weighted share of a score out of one hundred. A pass earns the full weight, a weak configuration earns part of it, and a missing critical header earns none. The letter is a quick signal, not a verdict. A real assessment looks at how the headers interact with your application, which is the kind of judgement a signature scanner cannot make and an AI security testing approach is built for. Headers are defense in depth. They reduce the blast radius of a bug, they do not replace fixing the bug.