Document Workflow
Check the final response security headers before launch
Capture the deployed edge response, distinguish enforced policies from monitoring, and verify security-header behavior across redirects before a public release.
Written and tested by SimpleWebUtilsPublished: Reviewed:
How this workflow was checked
Using Security Headers Checker, we reproduced “Final production HTML response with an enforced baseline” from the exact sample input. The result comparison covered “Capture the deployed edge, not the development server” and “Preserve redirects and identify the final response”; the linked test evidence was then checked for “Counting Report-Only as enforced CSP” and “Copying HSTS options without owning every subdomain”.
The final document response yielded seven detected headers, zero missing recommendations, zero warnings, and an enforced CSP; localhost and redirect-only captures did not satisfy the same check.
Problem
Security headers are rarely owned by one file. Application middleware may set CSP, a framework may add X-Content-Type-Options, a reverse proxy may replace Referrer-Policy, and a CDN may attach HSTS only on selected hosts. A local page can therefore look correct while the final public HTML response is missing protection. Redirect captures add another trap: the first 301 response may be well configured while the destination is weaker. Report-Only can also look like CSP even though it records violations without blocking them. Copying a generic header template is not enough because HSTS received outside secure transport is ignored, includeSubDomains can make unprepared hosts unreachable, CSP can break required resources, and COOP or COEP can change popup and asset behavior. A useful launch check must inspect the actual edge response, record which block was analyzed, distinguish presence from enforcement, avoid exposing internal URLs or authorization material, and stay explicit that header review is only one part of application security.
Sources and standards
These authoritative references define the formats or security boundaries used in this workflow. Tool-specific verification is documented separately above.
- RFC 9110: HTTP Semantics
RFC Editor / IETF
- RFC 6797: HTTP Strict Transport Security (HSTS)
RFC Editor / IETF
- Content Security Policy Level 3
World Wide Web Consortium (W3C)
When to use this
- A public web app, documentation site, admin surface, or sign-in page is approaching its first production launch.
- A framework, middleware, CDN, load balancer, or reverse-proxy migration may have changed response headers.
- A CSP rollout is moving from Content-Security-Policy-Report-Only to an enforced policy.
- Apex, www, locale, redirect, error, or authenticated routes may be returning different header sets.
- The target is private or sensitive and you need a local paste-first review instead of a remote URL scanner.
Steps
- Step 1
Define the responses that represent the release
List the canonical HTML page, apex and www hosts, locale routes, sign-in or account surface, one error response, and any redirect entry point. Include API responses only when their own policy behavior matters; not every document-only header belongs on JSON or image responses.
- Step 2
Capture the deployed edge, not the development server
Run `curl -I https://example.com/path` or copy response headers from browser DevTools. Capture what users receive after the CDN and proxy. If authentication is required, use DevTools or an approved local command, then remove Cookie, Authorization, Set-Cookie, tokens, internal addresses, and request IDs before storing or sharing evidence.
- Step 3
Preserve redirects and identify the final response
When using `curl -IL`, keep block boundaries and status lines. Paste the chain into Security Headers Checker and confirm the reported active block is the final response. Review earlier HTTP-to-HTTPS redirects separately because RFC 6797 HSTS is honored only when received over secure transport.
- Step 4
Resolve enforcement gaps before cosmetic differences
Address high-risk and warning findings in order: HSTS max-age=0, empty or ineffective enforced CSP, high-impact unsafe CSP sources, missing nosniff, and absent document framing control. Treat Content-Security-Policy-Report-Only as monitoring, not protection, and confirm that any repeated singleton header is not being injected by competing layers.
- Step 5
Inspect policy details with the focused analyzers
Open CSP Header Analyzer for directive-level review, nonces, hashes, source expressions, and duplicate directives. Use HTTP Header Parser when you need every hop, secret redaction, malformed-line diagnostics, or duplicate disposition rather than the security overview.
- Step 6
Test behavior after changing the headers
Reload the real routes and exercise sign-in, authorization failures, forms, uploads, downloads, embedded content, popups, workers, fonts, analytics consent, and third-party assets. Inspect CSP reports and browser console output. A stricter header that breaks required behavior is not a finished deployment.
- Step 7
Record and repeat the live check
Save the secret-reduced report with the release commit, timestamp, host, path, status, and owning deployment layer. Re-run the same matrix after production stabilizes. Keep dependency review, authentication and authorization tests, session checks, TLS validation, and threat-specific testing as separate release gates.
Example
Final production HTML response with an enforced baseline
Input
HTTP/2 200
content-type: text/html; charset=utf-8
strict-transport-security: max-age=63072000; includeSubDomains
content-security-policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
permissions-policy: camera=(), microphone=(), geolocation=()
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: require-corpOutput
Final response block: 1
Response kind: document
Detected security headers: 7
Missing recommended headers: 0
Warnings: 0
High-risk findings: 0
Enforced CSP and a complete COOP/COEP isolation pair are present.Common mistakes
Capturing localhost instead of the public edge
Local middleware cannot prove what the CDN, proxy, cache, or hosting platform sends. Capture the deployed host and every important alternate route.
Counting Report-Only as enforced CSP
Report-Only is valuable rollout telemetry but it does not block a violating resource or enforce frame-ancestors. Keep an explicit migration step to Content-Security-Policy.
Copying HSTS options without owning every subdomain
A long max-age and includeSubDomains create durable browser behavior. Confirm HTTPS coverage, certificate automation, recovery ownership, and subdomain inventory before deployment.
Looking only at the first redirect block
A strong 301 does not protect a weak destination. Check the final response and separately verify the HTTP-to-HTTPS redirect, alternate hosts, and error paths.
Stopping after the header report
A clean header overview cannot detect broken authorization, insecure sessions, vulnerable dependencies, server-side flaws, or business-logic abuse. Keep those tests explicit.
FAQ
Should I paste a private staging URL into the tool?
No URL is needed. Capture the headers yourself and paste the reduced block. The checker runs locally and does not authenticate to, fetch, or scan the target.
Why does the workflow keep redirect status lines?
Status lines preserve response boundaries so the final response can be identified. They also make it possible to review the HTTP-to-HTTPS redirect separately from the destination page.
Is Content-Security-Policy-Report-Only enough for launch?
It is useful during rollout, but it only monitors. A launch baseline that depends on CSP protection needs a tested Content-Security-Policy header in enforcement mode.
Must I add COOP, COEP, and CORP to every site?
No. COOP and COEP are needed for cross-origin isolation use cases and can affect popups or third-party assets. CORP is a resource policy. Add them only with an architecture-specific reason and tests.
Why can repeated CSP fields be valid while repeated HSTS is flagged?
CSP defines multiple enforced policies as cumulative restrictions. RFC 6797 says a host should send one HSTS field and user agents process only the first repeated field.
What should accompany a clean header report?
Keep live route checks, TLS and redirect verification, CSP behavior tests, dependency review, authentication and authorization tests, session controls, and relevant threat testing.