Checking localhost instead of the deployed edge
Development servers often omit rules added by a CDN, reverse proxy, or hosting edge. Capture the public response that users actually receive, including apex, www, and locale routes.
Paste a bounded HTTP response-header capture and review the final response for enforced CSP, RFC 6797 HSTS, nosniff, framing, referrer, permissions, and cross-origin policy signals. The browser does not fetch the URL; it separates missing, malformed, report-only, and context-dependent evidence and never presents a header checklist as proof that the response, application, browser support, or every redirect hop is secure.
Continue with a related workflow or open the next tool that usually follows this task.
Use this workflow when a CSP blocks an expected resource, a candidate policy produces noisy reports, or a proxy changes the header you intended to ship. It combines local policy parsing with browser violation evidence and a final deployed-edge check, without treating static findings as a security certificate.
OpenRelated toolReview CSP policies, effective directives, source expressions, and enforcement context locally.
OpenRelated toolParse bounded HTTP header blocks locally with default secret masking and protocol diagnostics.
OpenRelated toolConvert one IDN between Unicode and Punycode with strict validation and label review.
OpenCapture the deployed response with curl -I, browser DevTools, CDN logs, or reverse-proxy output; remove cookies, authorization values, and unrelated secrets before sharing the capture.
Paste one response or a redirect chain. The checker parses bounded input locally and grades only the final response block.
Confirm the detected response kind. Explicit HTML receives document recommendations, explicit non-document content skips HTML-only omissions, and an unknown type is reviewed conservatively.
Resolve high-risk findings first, including HSTS max-age=0, ineffective enforced CSP, and high-impact wildcard or unsafe script sources.
Review warnings in deployment context: Report-Only is not enforcement, HSTS works only over HTTPS, and COOP plus COEP can affect popups and cross-origin assets.
Copy or download the report for a release checklist, then verify the live edge again and continue with authentication, authorization, dependency, and application-security tests.
Compare the final public HTML response with a release baseline after middleware, framework, CDN, or reverse-proxy changes.
Detect when a CSP rollout still monitors with Report-Only but never moved the intended policy into enforcement.
Inspect redirect chains and alternate hosts to find an apex, www, locale, or error response that lost the intended headers.
Check whether COOP and COEP form an isolation pair before enabling APIs that require a cross-origin-isolated document.
Attach a repeatable, secret-reduced summary to pull requests, incident notes, and deployment checklists without submitting an internal URL to a third party.
Development servers often omit rules added by a CDN, reverse proxy, or hosting edge. Capture the public response that users actually receive, including apex, www, and locale routes.
Content-Security-Policy-Report-Only records violations but does not block them. Keep it for rollout telemetry, but do not count it as an enforced CSP baseline.
A curl capture can contain a redirect and a final response. Review each hop deliberately and make sure the final HTML response, not only the redirect, carries the intended policy.
HSTS received over insecure HTTP is ignored, max-age=0 removes the cached policy, and includeSubDomains can break subdomains that lack HTTPS. Confirm transport and ownership before copying a template.
Headers reduce specific browser risks; they do not test authorization, session handling, dependency vulnerabilities, server configuration, or application logic. Keep those checks in the release plan.
An HTML response with a one-year HSTS policy, enforced CSP framing control, nosniff, a conservative referrer policy, scoped permissions, and a complete COOP/COEP isolation pair.
HTTP/2 200
content-type: text/html; charset=utf-8
strict-transport-security: max-age=63072000; includeSubDomains
content-security-policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
permissions-policy: camera=(), microphone=(), geolocation=()
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: require-corpDocument response; 7 security headers detected; 0 missing recommendations; 0 warnings; 0 high-risk findings. Enforced CSP and a complete COOP/COEP isolation pair are present.The monitoring policy is useful for rollout data, but it does not enforce CSP or frame-ancestors. The report keeps enforced CSP and framing protection in the missing list.
HTTP/2 200
content-type: text/html
strict-transport-security: max-age=31536000
content-security-policy-report-only: default-src 'self'; frame-ancestors 'none'
x-content-type-options: nosniff
referrer-policy: no-referrer
permissions-policy: geolocation=()Report-Only CSP detected without an enforced Content-Security-Policy. Enforced CSP and frame protection still require review.An explicit JSON response is classified as non-document content, so document-only CSP, framing, referrer, and permissions omissions are not reported as baseline failures.
HTTP/2 200
content-type: application/json
strict-transport-security: max-age=31536000
x-content-type-options: nosniffNon-document response; HSTS and nosniff detected; document-only recommendations skipped; 0 warnings; 0 high-risk findings.The bounded HTTP parser separates response blocks and analyzes the final block, which prevents a strong redirect from hiding a weak final HTML response. A request start line is rejected instead of being graded as a response.
RFC 6797 HSTS processing uses only a header received over secure transport. The checker accepts token or quoted max-age values, treats max-age=0 as policy removal, uses the first repeated HSTS field, and does not require the optional preload token.
W3C CSP defines Content-Security-Policy as enforced and Content-Security-Policy-Report-Only as monitored. Multiple enforced CSP fields are allowed because every policy is enforced; Report-Only frame-ancestors never counts as frame protection.
Referrer-Policy can contain fallback tokens. Following the specification algorithm, the last recognized token becomes effective; same-origin, no-referrer, strict-origin, and strict-origin-when-cross-origin receive the conservative result.
COOP values and COEP values are validated separately. Cross-origin isolation is marked complete only for COOP same-origin together with COEP require-corp or credentialless; CORP is reported as a resource policy, not a universal page requirement.
All processing remains in the browser and raw cookies or authorization headers are excluded from the generated security report. Input limits protect the page from oversized captures, and the findings do not replace a full security audit.
No. It analyzes pasted headers locally and reports bounded, conservative review hints. It is not a penetration test, vulnerability scan, or complete security audit.
No. Copy response headers from curl -I, browser DevTools, a CDN log, or a reverse proxy. The tool does not fetch the URL, authenticate to it, or send the pasted capture to a scanner.
Content-Security-Policy is enforced. Content-Security-Policy-Report-Only monitors violations without blocking them, so a Report-Only header alone remains a rollout gap.
RFC 6797 requires HSTS to arrive over secure transport. A max-age of 0 removes the cached HSTS policy; a long max-age is useful only after every affected host is reliably available over HTTPS.
The parser uses the final block because curl and proxy captures commonly include redirects or interim responses. Inspect earlier hops separately when their redirect and transport behavior also matters.
No. CSP and frame protection primarily matter for documents, while cross-origin isolation is application-specific. An explicit non-document Content-Type suppresses document-only missing-header findings.
Yes. Repeated enforced CSP fields are allowed and each policy further restricts the response. Repeated singleton fields such as HSTS or X-Frame-Options are flagged for review instead.
Maintained and tested by SimpleWebUtilsReviewed
Method: Using Security Headers Checker, we reproduced “Final production HTML response with an enforced baseline” from the exact sample input. The result comparison covered “Capture the deployed edge, not the development server” and “Preserve redirects and identify the final response”; the linked test evidence was then checked for “Counting Report-Only as enforced CSP” and “Copying HSTS options without owning every subdomain”.
Expected result: The final document response yielded seven detected headers, zero missing recommendations, zero warnings, and an enforced CSP; localhost and redirect-only captures did not satisfy the same check.
Sources and standards
Use these focused guides when you need a practical workflow before opening the tool.
Use this workflow when a CSP blocks an expected resource, a candidate policy produces noisy reports, or a proxy changes the header you intended to ship. It combines local policy parsing with browser violation evidence and a final deployed-edge check, without treating static findings as a security certificate.
Workflow guideUse this workflow when a browser request, API response, redirect, or CDN cache behaves differently than expected and you need a bounded, redacted header-level record before editing configuration.
Workflow guideUse this workflow when an internationalized hostname appears as readable Unicode in one place and xn-- ASCII labels in another, and you need a precise comparison without confusing conversion with registration or security approval.
Workflow guideHTML-to-Pug conversion removes repetitive tag rewriting, but a dependable migration also needs a source baseline, dependency inventory, active-code redesign, explicit template locals, and tests in the destination application. This workflow converts one coherent view, checks browser normalization and preserved events or URLs, moves page dependencies, adds only the Pug logic the application needs, and verifies the compiled HTML rather than approving a file because its syntax parses.
Workflow guideUse this workflow to turn a curl -I or DevTools capture into repeatable release evidence. It checks the final response locally, separates enforced CSP from Report-Only monitoring, preserves deployment context, and ends with live verification plus the application checks that response headers cannot cover.
Continue with another maintained workflow
Review CSP policies, effective directives, source expressions, and enforcement context locally.
Parse bounded HTTP header blocks locally with default secret masking and protocol diagnostics.
Convert one IDN between Unicode and Punycode with strict validation and label review.
Strictly decode JWT structure and time claims locally without verifying the signature.
Parse absolute URLs or resolve references with raw, decoded, normalized, and duplicate-query views.