HTTP Security Headers Checker

Paste raw HTTP response headers and review whether common security headers are present, reasonably configured, or exposing more than they should. All checking happens locally in your browser.

HTTP response headersPaste one Name: value line per row. A status line is optional.

This checker is best effort. It can surface missing headers, risky values, and information leakage, but it does not replace a formal security review or application-specific tuning.

Deep dive

More context for HTTP Security Headers Checker

Useful when you want to sanity-check pasted response headers after you wire up a proxy, certificate, or CDN.

Overview

What is this tool?

It inspects pasted HTTP response headers locally in your browser and highlights common security headers, risky values, missing protections, and information-leakage banners.

Input samples

Example inputs

Mostly secure response

HTTP/2 200 OK
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'
x-frame-options: DENY
x-content-type-options: nosniff

Response with isolation headers

content-security-policy: default-src 'self'
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
cross-origin-embedder-policy: require-corp

Leaky banner example

server: nginx
x-powered-by: Express
referrer-policy: unsafe-url
permissions-policy: geolocation=*

When to use it

Common use cases

Review headers copied from DevTools, `curl -I`, or a load balancer response.
Spot missing security headers before you ship a site or service.
Catch permissive values and server banners that expose more stack detail than you want.

Navigation

Explore related workflows

Keep moving through the collection, workflow, and adjacent tools that usually belong with this page.

Part of collection

Jump to the broader tool set that covers the same problem space.

HTTP & Web Debugging Tools

Tools for parsing headers, generating redirects, checking CORS, and debugging common website configuration issues.

Related workflow

Continue with the tool chain that usually goes together here.

Debug website headers and CORS

Parse response headers, review security protections, generate CORS snippets, and prepare redirect rules for web apps.

HTTP Headers Parser CORS Header Generator / Checker Redirect Rules Generator HTTP Status Code Lookup MIME Type Lookup

Related tools

Open the closest adjacent tools without leaving the current context.

HTTP Headers Parser Nginx Config Checker Nginx Reverse Proxy Generator Caddyfile Generator SSL Certificate Decoder CORS Header Generator / Checker Redirect Rules Generator HTTP Status Code Lookup MIME Type Lookup URL Encoder / Decoder

Answers

FAQ

Does it request a URL or call a backend API?

No. It only checks the text you paste in the browser and does not request any URL.

Can it replace a formal security audit?

No. It is a best-effort checker that helps you spot common issues, but it is not a substitute for a real audit or application review.

Why are Server and X-Powered-By called out?

Those headers can leak platform details and make fingerprinting easier, so the tool highlights them even when they are not strictly broken.

Disclaimer

Disclaimer / limitation note

This is a best-effort security headers checker, not a replacement for a formal security audit. Results depend on your application, your hosting stack, and your response behavior, so you may need to adjust headers for your specific use case. The tool checks pasted headers only, does not request any URL, and keeps all analysis in your browser.

Privacy

Privacy note

All parsing happens locally in your browser. No headers are uploaded, no backend request is made, and DevToolkit does not store the text you paste here.