Document Workflow

Check the final response security headers before launch

Capture the deployed edge response, distinguish enforced policies from monitoring, and verify security-header behavior across redirects before a public release.

Written and tested by Published: Reviewed:

How this workflow was checked

Using Security Headers Checker, we reproduced “Final production HTML response with an enforced baseline” from the exact sample input. The result comparison covered “Capture the deployed edge, not the development server” and “Preserve redirects and identify the final response”; the linked test evidence was then checked for “Counting Report-Only as enforced CSP” and “Copying HSTS options without owning every subdomain”.

The final document response yielded seven detected headers, zero missing recommendations, zero warnings, and an enforced CSP; localhost and redirect-only captures did not satisfy the same check.

Problem

Security headers are rarely owned by one file. Application middleware may set CSP, a framework may add X-Content-Type-Options, a reverse proxy may replace Referrer-Policy, and a CDN may attach HSTS only on selected hosts. A local page can therefore look correct while the final public HTML response is missing protection. Redirect captures add another trap: the first 301 response may be well configured while the destination is weaker. Report-Only can also look like CSP even though it records violations without blocking them. Copying a generic header template is not enough because HSTS received outside secure transport is ignored, includeSubDomains can make unprepared hosts unreachable, CSP can break required resources, and COOP or COEP can change popup and asset behavior. A useful launch check must inspect the actual edge response, record which block was analyzed, distinguish presence from enforcement, avoid exposing internal URLs or authorization material, and stay explicit that header review is only one part of application security.

Sources and standards

These authoritative references define the formats or security boundaries used in this workflow. Tool-specific verification is documented separately above.

When to use this

  • A public web app, documentation site, admin surface, or sign-in page is approaching its first production launch.
  • A framework, middleware, CDN, load balancer, or reverse-proxy migration may have changed response headers.
  • A CSP rollout is moving from Content-Security-Policy-Report-Only to an enforced policy.
  • Apex, www, locale, redirect, error, or authenticated routes may be returning different header sets.
  • The target is private or sensitive and you need a local paste-first review instead of a remote URL scanner.

Steps

  1. Step 1

    Define the responses that represent the release

    List the canonical HTML page, apex and www hosts, locale routes, sign-in or account surface, one error response, and any redirect entry point. Include API responses only when their own policy behavior matters; not every document-only header belongs on JSON or image responses.

  2. Step 2

    Capture the deployed edge, not the development server

    Run `curl -I https://example.com/path` or copy response headers from browser DevTools. Capture what users receive after the CDN and proxy. If authentication is required, use DevTools or an approved local command, then remove Cookie, Authorization, Set-Cookie, tokens, internal addresses, and request IDs before storing or sharing evidence.

  3. Step 3

    Preserve redirects and identify the final response

    When using `curl -IL`, keep block boundaries and status lines. Paste the chain into Security Headers Checker and confirm the reported active block is the final response. Review earlier HTTP-to-HTTPS redirects separately because RFC 6797 HSTS is honored only when received over secure transport.

  4. Step 4

    Resolve enforcement gaps before cosmetic differences

    Address high-risk and warning findings in order: HSTS max-age=0, empty or ineffective enforced CSP, high-impact unsafe CSP sources, missing nosniff, and absent document framing control. Treat Content-Security-Policy-Report-Only as monitoring, not protection, and confirm that any repeated singleton header is not being injected by competing layers.

  5. Step 5

    Inspect policy details with the focused analyzers

    Open CSP Header Analyzer for directive-level review, nonces, hashes, source expressions, and duplicate directives. Use HTTP Header Parser when you need every hop, secret redaction, malformed-line diagnostics, or duplicate disposition rather than the security overview.

  6. Step 6

    Test behavior after changing the headers

    Reload the real routes and exercise sign-in, authorization failures, forms, uploads, downloads, embedded content, popups, workers, fonts, analytics consent, and third-party assets. Inspect CSP reports and browser console output. A stricter header that breaks required behavior is not a finished deployment.

  7. Step 7

    Record and repeat the live check

    Save the secret-reduced report with the release commit, timestamp, host, path, status, and owning deployment layer. Re-run the same matrix after production stabilizes. Keep dependency review, authentication and authorization tests, session checks, TLS validation, and threat-specific testing as separate release gates.

Example

Final production HTML response with an enforced baseline

Input

HTTP/2 200
content-type: text/html; charset=utf-8
strict-transport-security: max-age=63072000; includeSubDomains
content-security-policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
permissions-policy: camera=(), microphone=(), geolocation=()
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: require-corp

Output

Final response block: 1
Response kind: document
Detected security headers: 7
Missing recommended headers: 0
Warnings: 0
High-risk findings: 0
Enforced CSP and a complete COOP/COEP isolation pair are present.

Common mistakes

Capturing localhost instead of the public edge

Local middleware cannot prove what the CDN, proxy, cache, or hosting platform sends. Capture the deployed host and every important alternate route.

Counting Report-Only as enforced CSP

Report-Only is valuable rollout telemetry but it does not block a violating resource or enforce frame-ancestors. Keep an explicit migration step to Content-Security-Policy.

Copying HSTS options without owning every subdomain

A long max-age and includeSubDomains create durable browser behavior. Confirm HTTPS coverage, certificate automation, recovery ownership, and subdomain inventory before deployment.

Looking only at the first redirect block

A strong 301 does not protect a weak destination. Check the final response and separately verify the HTTP-to-HTTPS redirect, alternate hosts, and error paths.

Stopping after the header report

A clean header overview cannot detect broken authorization, insecure sessions, vulnerable dependencies, server-side flaws, or business-logic abuse. Keep those tests explicit.

FAQ

Should I paste a private staging URL into the tool?

No URL is needed. Capture the headers yourself and paste the reduced block. The checker runs locally and does not authenticate to, fetch, or scan the target.

Why does the workflow keep redirect status lines?

Status lines preserve response boundaries so the final response can be identified. They also make it possible to review the HTTP-to-HTTPS redirect separately from the destination page.

Is Content-Security-Policy-Report-Only enough for launch?

It is useful during rollout, but it only monitors. A launch baseline that depends on CSP protection needs a tested Content-Security-Policy header in enforcement mode.

Must I add COOP, COEP, and CORP to every site?

No. COOP and COEP are needed for cross-origin isolation use cases and can affect popups or third-party assets. CORP is a resource policy. Add them only with an architecture-specific reason and tests.

Why can repeated CSP fields be valid while repeated HSTS is flagged?

CSP defines multiple enforced policies as cumulative restrictions. RFC 6797 says a host should send one HSTS field and user agents process only the first repeated field.

What should accompany a clean header report?

Keep live route checks, TLS and redirect verification, CSP behavior tests, dependency review, authentication and authorization tests, session controls, and relevant threat testing.