Tool
HTTP Headers Inspector
Fetch and inspect HTTP response headers for any URL. Highlights missing security headers like HSTS, CSP, and X-Frame-Options.
This tool performs non-intrusive analysis of publicly available HTTP response headers. No data is stored or logged.
About
What Are HTTP Headers?
HTTP headers are metadata sent alongside every web request and response. Response headers tell the browser how to handle content, cache resources, manage connections, and enforce security policies. They are invisible to end users but critical to the security posture of any web application.
Security headers are a specific class of response headers that activate browser-level defenses against common attacks — cross-site scripting, clickjacking, MIME sniffing, protocol downgrade, and information disclosure. Missing or misconfigured security headers are consistently among the top findings in web application penetration tests.
This tool fetches headers from any URL server-side and flags the presence or absence of 10+ security-relevant headers, giving you an instant hardening checklist without opening browser developer tools.
Security Headers
Key Security Headers Explained
Strict-Transport-Security
Forces browsers to use HTTPS for the specified duration. Prevents SSL stripping attacks on the first connection. Include 'includeSubDomains' and 'preload' for maximum protection.
Content-Security-Policy
Defines allowed sources for scripts, styles, images, and other resources. A properly configured CSP prevents injected scripts from executing even if XSS vulnerabilities exist.
X-Frame-Options
Prevents the page from being embedded in iframes. Blocks clickjacking attacks where attackers overlay invisible frames to hijack user interactions. Superseded by CSP frame-ancestors.
X-Content-Type-Options
Setting this to 'nosniff' prevents browsers from MIME-sniffing responses — a technique attackers use to execute uploaded files as scripts by exploiting browser content detection.
Referrer-Policy
Controls how much referrer information is sent with requests. 'strict-origin-when-cross-origin' is the recommended value — it prevents leaking full URLs to third-party origins.
Permissions-Policy
Restricts access to browser features like camera, microphone, and geolocation. Limits damage if a third-party script loaded on the page attempts to access sensitive hardware APIs.
FAQ
Frequently Asked Questions
What are HTTP security headers?+
Response headers that instruct browsers how to handle content, connections, and resources. They defend against XSS, clickjacking, MIME sniffing, and protocol downgrade attacks. Missing security headers are a top finding in web app security assessments.
What is HSTS and why does it matter?+
HSTS (HTTP Strict Transport Security) tells browsers to only connect over HTTPS. Without it, attackers on the same network can intercept the initial HTTP request before the redirect to HTTPS — an SSL stripping attack.
What is a Content Security Policy?+
A CSP header defines which sources can load scripts, styles, and resources. A properly configured CSP prevents injected scripts from executing even if an XSS vulnerability exists — it's one of the most impactful security headers.
What does X-Frame-Options do?+
It controls whether a page can be embedded in an iframe. DENY or SAMEORIGIN prevent clickjacking attacks where an attacker layers an invisible iframe over a page to hijack user clicks on buttons and links.