WebUtils
ENKO
Back to All Tools

Security Headers Checker | Inspect HTTP Response Headers

SecurityRuns in Your Browser (No Uploads)

Check pasted HTTP response headers for HSTS, CSP, nosniff, frame protection, referrer policy, permissions policy, and cross-origin isolation review hints without sending data to a server.

Loading…

What to do next

Continue with a related workflow or open the next tool that usually follows this task.

Workflow guide

Analyze a Content-Security-Policy header

Use this workflow when a CSP blocks expected browser behavior, allows risky sources, or needs a readable review before a deployment change.

OpenRelated tool

Hash Generator Online | MD5, SHA-256 and SHA-512 Checksums

Generate MD5, SHA-1, SHA-256, and SHA-512 checksums locally.

OpenRelated tool

JWT Decoder Online | Decode Claims, Header and Expiration

Decode JWT header, payload, claims, and expiration locally.

OpenRelated tool

CSP Header Analyzer | Parse Content-Security-Policy Headers

Parse CSP headers into directives and conservative security review hints.

Open

How to Use This Tool

  1. 1

    Paste HTTP response headers from curl -I, DevTools, CDN logs, deployment logs, or reverse proxy output.

  2. 2

    Review detected security headers, missing recommended headers, warnings, and informational findings.

  3. 3

    Use the grouped cards to inspect transport, content and framing, privacy, permissions, and cross-origin isolation signals.

  4. 4

    Copy or download the localized report for deployment notes or pull request reviews.

  5. 5

    Treat the output as review hints, not as a complete security audit.

When to Use This Tool

Deployment Review

Review production response headers copied from curl -I before or after deployment.

Security Header Baseline

Check HSTS, CSP, nosniff, frame protection, and referrer policy while tightening a web app baseline.

Infrastructure Debugging

Compare CDN, reverse proxy, and framework headers without sending internal hostnames to a server.

Review Notes

Create readable findings for pull requests, incident notes, or launch checklists.

Examples

Review a strong response header set

Input
HTTP/2 200
strict-transport-security: max-age=63072000; includeSubDomains; preload
content-security-policy: default-src 'self'; frame-ancestors 'none'
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
permissions-policy: camera=(), microphone=(), geolocation=()
Output
Total response headers: 5
Detected security headers: 5
Missing recommended headers: 0
Warnings: 0

Findings:
- Info: Strong HSTS policy with one year or longer max-age, includeSubDomains, and preload
- Info: Content-Security-Policy header detected
- Info: x-content-type-options uses nosniff
- Info: Frame protection detected
- Info: Referrer-Policy uses a stricter value

Find missing response security headers

Input
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
server: example
Output
Total response headers: 2
Detected security headers: 0
Missing recommended headers: 6
Warnings: 5

Findings:
- Warning: Missing Strict-Transport-Security header
- Warning: Missing Content-Security-Policy header
- Warning: Missing x-content-type-options nosniff header
- Warning: Missing frame protection header or CSP frame-ancestors directive
- Warning: Missing Referrer-Policy header
- Info: Permissions-Policy is not present

How Security Header Checking Works

The checker reuses the HTTP header parser to normalize names and detect duplicate header names.

Security header names are matched case-insensitively and grouped into transport, content and framing, privacy and permissions, and cross-origin isolation sections.

HSTS max-age is parsed as seconds and compared with a one-year threshold.

Frame protection accepts either X-Frame-Options DENY or SAMEORIGIN, or a CSP frame-ancestors directive.

Findings are conservative hints. Missing COOP, CORP, and COEP are not treated as high risk because isolation requirements depend on the application.

Frequently Asked Questions

Q.Does this certify that my site is secure?

A. No. The checker reports conservative review hints for response headers. It does not prove that a site is secure or complete.

Q.Can it scan a live website?

A. No. Paste headers from curl, DevTools, CDN logs, deployment logs, or reverse proxy output. The first version does not fetch live URLs.

Q.Which headers are checked?

A. It checks Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options or CSP frame-ancestors, Referrer-Policy, Permissions-Policy, COOP, CORP, and COEP.

Related workflow guides

Use these focused guides when you need a practical workflow before opening the tool.

Workflow guide

Analyze a Content-Security-Policy header

Use this workflow when a CSP blocks expected browser behavior, allows risky sources, or needs a readable review before a deployment change.

Workflow guide

Check security headers before launching a web app

Use this workflow before a release when you need to confirm that response headers include practical browser security signals without sending internal URLs to a remote scanner.

Related Tools

Explore more developer tools

Hash Generator Online | MD5, SHA-256 and SHA-512 Checksums

Generate MD5, SHA-1, SHA-256, and SHA-512 checksums locally.

Encoding

JWT Decoder Online | Decode Claims, Header and Expiration

Decode JWT header, payload, claims, and expiration locally.

Security

CSP Header Analyzer | Parse Content-Security-Policy Headers

Parse CSP headers into directives and conservative security review hints.

Security

HTTP Header Parser | Inspect Request & Response Headers

Parse raw HTTP request or response headers into grouped, normalized debugging output.

Encoding

URL Parser | Extract Protocol, Domain & Query Parameters

Parse URLs to extract protocol, domain, path, and query parameters. Instant breakdown.

Converter
Browse All Tools