Security Headers Checker | Final HTTP Response Review

SecurityRuns in Your Browser (No Uploads)

Paste a bounded HTTP response-header capture and review the final response for enforced CSP, RFC 6797 HSTS, nosniff, framing, referrer, permissions, and cross-origin policy signals. The browser does not fetch the URL; it separates missing, malformed, report-only, and context-dependent evidence and never presents a header checklist as proof that the response, application, browser support, or every redirect hop is secure.

What to do next

Continue with a related workflow or open the next tool that usually follows this task.

How to Use This Tool

Capture the deployed response with curl -I, browser DevTools, CDN logs, or reverse-proxy output; remove cookies, authorization values, and unrelated secrets before sharing the capture.

Paste one response or a redirect chain. The checker parses bounded input locally and grades only the final response block.

Confirm the detected response kind. Explicit HTML receives document recommendations, explicit non-document content skips HTML-only omissions, and an unknown type is reviewed conservatively.

Resolve high-risk findings first, including HSTS max-age=0, ineffective enforced CSP, and high-impact wildcard or unsafe script sources.

Review warnings in deployment context: Report-Only is not enforcement, HSTS works only over HTTPS, and COOP plus COEP can affect popups and cross-origin assets.

Copy or download the report for a release checklist, then verify the live edge again and continue with authentication, authorization, dependency, and application-security tests.

When to Use This Tool

Production launch review

Compare the final public HTML response with a release baseline after middleware, framework, CDN, or reverse-proxy changes.

CSP rollout verification

Detect when a CSP rollout still monitors with Report-Only but never moved the intended policy into enforcement.

Edge and redirect comparison

Inspect redirect chains and alternate hosts to find an apex, www, locale, or error response that lost the intended headers.

Cross-origin isolation preparation

Check whether COOP and COEP form an isolation pair before enabling APIs that require a cross-origin-isolated document.

Local review evidence

Attach a repeatable, secret-reduced summary to pull requests, incident notes, and deployment checklists without submitting an internal URL to a third party.

Common Mistakes

Checking localhost instead of the deployed edge

Development servers often omit rules added by a CDN, reverse proxy, or hosting edge. Capture the public response that users actually receive, including apex, www, and locale routes.

Treating Report-Only as protection

Content-Security-Policy-Report-Only records violations but does not block them. Keep it for rollout telemetry, but do not count it as an enforced CSP baseline.

Reading the wrong response block

A curl capture can contain a redirect and a final response. Review each hop deliberately and make sure the final HTML response, not only the redirect, carries the intended policy.

Enabling HSTS without checking HTTPS coverage

HSTS received over insecure HTTP is ignored, max-age=0 removes the cached policy, and includeSubDomains can break subdomains that lack HTTPS. Confirm transport and ownership before copying a template.

Using a clean report as a security certificate

Headers reduce specific browser risks; they do not test authorization, session handling, dependency vulnerabilities, server configuration, or application logic. Keep those checks in the release plan.

Examples

Review a deliberate HTML baseline

An HTML response with a one-year HSTS policy, enforced CSP framing control, nosniff, a conservative referrer policy, scoped permissions, and a complete COOP/COEP isolation pair.

Input
HTTP/2 200
content-type: text/html; charset=utf-8
strict-transport-security: max-age=63072000; includeSubDomains
content-security-policy: default-src 'self'; object-src 'none'; frame-ancestors 'none'
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
permissions-policy: camera=(), microphone=(), geolocation=()
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: require-corp
Output
Document response; 7 security headers detected; 0 missing recommendations; 0 warnings; 0 high-risk findings. Enforced CSP and a complete COOP/COEP isolation pair are present.

Catch a Report-Only rollout gap

The monitoring policy is useful for rollout data, but it does not enforce CSP or frame-ancestors. The report keeps enforced CSP and framing protection in the missing list.

Input
HTTP/2 200
content-type: text/html
strict-transport-security: max-age=31536000
content-security-policy-report-only: default-src 'self'; frame-ancestors 'none'
x-content-type-options: nosniff
referrer-policy: no-referrer
permissions-policy: geolocation=()
Output
Report-Only CSP detected without an enforced Content-Security-Policy. Enforced CSP and frame protection still require review.

Avoid HTML-only warnings on an API response

An explicit JSON response is classified as non-document content, so document-only CSP, framing, referrer, and permissions omissions are not reported as baseline failures.

Input
HTTP/2 200
content-type: application/json
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
Output
Non-document response; HSTS and nosniff detected; document-only recommendations skipped; 0 warnings; 0 high-risk findings.

How the security-header review is calculated

The bounded HTTP parser separates response blocks and analyzes the final block, which prevents a strong redirect from hiding a weak final HTML response. A request start line is rejected instead of being graded as a response.

RFC 6797 HSTS processing uses only a header received over secure transport. The checker accepts token or quoted max-age values, treats max-age=0 as policy removal, uses the first repeated HSTS field, and does not require the optional preload token.

W3C CSP defines Content-Security-Policy as enforced and Content-Security-Policy-Report-Only as monitored. Multiple enforced CSP fields are allowed because every policy is enforced; Report-Only frame-ancestors never counts as frame protection.

Referrer-Policy can contain fallback tokens. Following the specification algorithm, the last recognized token becomes effective; same-origin, no-referrer, strict-origin, and strict-origin-when-cross-origin receive the conservative result.

COOP values and COEP values are validated separately. Cross-origin isolation is marked complete only for COOP same-origin together with COEP require-corp or credentialless; CORP is reported as a resource policy, not a universal page requirement.

All processing remains in the browser and raw cookies or authorization headers are excluded from the generated security report. Input limits protect the page from oversized captures, and the findings do not replace a full security audit.

Frequently Asked Questions

Does a clean result prove that my site is secure?

No. It analyzes pasted headers locally and reports bounded, conservative review hints. It is not a penetration test, vulnerability scan, or complete security audit.

Does the checker request my website?

No. Copy response headers from curl -I, browser DevTools, a CDN log, or a reverse proxy. The tool does not fetch the URL, authenticate to it, or send the pasted capture to a scanner.

Why does Report-Only not satisfy the CSP check?

Content-Security-Policy is enforced. Content-Security-Policy-Report-Only monitors violations without blocking them, so a Report-Only header alone remains a rollout gap.

Why is HSTS max-age=0 high risk?

RFC 6797 requires HSTS to arrive over secure transport. A max-age of 0 removes the cached HSTS policy; a long max-age is useful only after every affected host is reliably available over HTTPS.

Which response is checked when I paste several blocks?

The parser uses the final block because curl and proxy captures commonly include redirects or interim responses. Inspect earlier hops separately when their redirect and transport behavior also matters.

Does every API response need every listed header?

No. CSP and frame protection primarily matter for documents, while cross-origin isolation is application-specific. An explicit non-document Content-Type suppresses document-only missing-header findings.

Can a response contain more than one CSP field?

Yes. Repeated enforced CSP fields are allowed and each policy further restricts the response. Repeated singleton fields such as HSTS or X-Frame-Options are flagged for review instead.

How This Tool Was Verified

Maintained and tested by Reviewed

Method: Using Security Headers Checker, we reproduced “Final production HTML response with an enforced baseline” from the exact sample input. The result comparison covered “Capture the deployed edge, not the development server” and “Preserve redirects and identify the final response”; the linked test evidence was then checked for “Counting Report-Only as enforced CSP” and “Copying HSTS options without owning every subdomain”.

Expected result: The final document response yielded seven detected headers, zero missing recommendations, zero warnings, and an enforced CSP; localhost and redirect-only captures did not satisfy the same check.

Sources and standards

Open the tested workflow

Related workflow guides

Use these focused guides when you need a practical workflow before opening the tool.

Workflow guide

Analyze a Content-Security-Policy header before deployment

Use this workflow when a CSP blocks an expected resource, a candidate policy produces noisy reports, or a proxy changes the header you intended to ship. It combines local policy parsing with browser violation evidence and a final deployed-edge check, without treating static findings as a security certificate.

Workflow guide

Inspect HTTP response headers before debugging APIs

Use this workflow when a browser request, API response, redirect, or CDN cache behaves differently than expected and you need a bounded, redacted header-level record before editing configuration.

Workflow guide

Convert an international domain to Punycode for DNS checks

Use this workflow when an internationalized hostname appears as readable Unicode in one place and xn-- ASCII labels in another, and you need a precise comparison without confusing conversion with registration or security approval.

Workflow guide

Migrate a static HTML view to Pug without carrying over unsafe behavior

HTML-to-Pug conversion removes repetitive tag rewriting, but a dependable migration also needs a source baseline, dependency inventory, active-code redesign, explicit template locals, and tests in the destination application. This workflow converts one coherent view, checks browser normalization and preserved events or URLs, moves page dependencies, adds only the Pug logic the application needs, and verifies the compiled HTML rather than approving a file because its syntax parses.

Workflow guide

Check the final response security headers before launch

Use this workflow to turn a curl -I or DevTools capture into repeatable release evidence. It checks the final response locally, separates enforced CSP from Report-Only monitoring, preserves deployment context, and ends with live verification plus the application checks that response headers cannot cover.

Related Tools

Continue with another maintained workflow

Browse All Tools