This tool audits HTTP response headers for security compliance by analyzing the raw headers you paste — it never makes a network request, so it works for internal/behind-auth/CORS-restricted sites, CI artifacts, or documentation examples.
How it differs from the HTTP Headers Analyzer: that tool fetches a URL live and only checks header presence (boolean). This tool does deep value-level checks across a fuller header set.
What it checks (12 headers, value-level):
- Critical (missing or wrong = high risk): HSTS (max-age ≥ 31536000, includeSubDomains, preload), Content-Security-Policy (no unsafe-inline/unsafe-eval/wildcard, has default-src or script-src), X-Content-Type-Options (must be nosniff).
- Warning (recommended): X-Frame-Options (DENY/SAMEORIGIN; notes CSP frame-ancestors supersedes it), Referrer-Policy (not unsafe-url/no-referrer-when-downgrade), Permissions-Policy.
- Info (bonus isolation hardening): Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Resource-Policy, X-Permitted-Cross-Domain-Policies, Clear-Site-Data, Cache-Control.
Input format: raw HTTP response headers — one Name: Value per line, as produced by curl -I, browser DevTools Network tab, or HTTP dumps. Status lines (HTTP/1.1 200 OK) and blank lines are skipped automatically.
Grading (deduction from 100): −20 per critical, −8 per warning. Letter grade from A+ to F. Each finding shows the current value, what's wrong, and a copy-ready recommended header value.
This tool only inspects security headers — it does not check information-disclosure headers (Server/X-Powered-By) or cookie attributes. Use it to harden a site's response-header posture before shipping.