Tool 05 — Web Security

HTTP Header Analyzer

Scan any URL or paste response headers to get a full security audit. Identifies missing, weak, or misconfigured security headers.

HTTP Header Analyzer

Scan any URL or paste headers to get a full security audit.

What are HTTP security headers?

HTTP security headers are response headers that a web server sends along with every page, telling the browser how to behave in ways that improve security. They are one of the easiest and most impactful security improvements a developer can make — a few lines of server configuration can mitigate entire classes of attacks like clickjacking, cross-site scripting (XSS), and protocol downgrade attacks.

Missing or misconfigured security headers are consistently listed in the OWASP Top 10 and appear in the majority of web application penetration test reports. Yet they are often overlooked because they have no visible effect on the user experience — the protection happens silently in the browser.

The critical security headers explained

Strict-Transport-Security (HSTS) critical

Forces browsers to use HTTPS for future visits, even if the user types http://. Prevents SSL stripping attacks. Recommended value: max-age=31536000; includeSubDomains; preload. The preload directive submits your domain to browsers' hardcoded HSTS list.

Content-Security-Policy (CSP) critical

Defines which sources the browser is allowed to load scripts, styles, images, and other resources from. A properly configured CSP is the most effective defense against XSS attacks. Difficult to configure correctly — use the CSP Generator to build one.

X-Frame-Options important

Prevents your page from being embedded in an iframe on another site, blocking clickjacking attacks. Values: DENY (never allow framing) or SAMEORIGIN (allow framing from same origin). Superseded by frame-ancestors in CSP, but still needed for older browsers.

X-Content-Type-Options important

Prevents browsers from MIME-type sniffing — guessing the content type of a response. Without this, a browser might execute a file served as text/plain as JavaScript if the content looks like a script. Set to nosniff.

Referrer-Policy recommended

Controls how much referrer information is sent when navigating away from your site. Recommended: strict-origin-when-cross-origin — sends the origin only (not full URL) for cross-origin requests, full URL for same-origin.

Permissions-Policy recommended

Controls which browser features and APIs the page (and embedded iframes) can access — camera, microphone, geolocation, payment. Restricting unused features reduces the attack surface if XSS occurs. Example: camera=(), microphone=(), geolocation=().

Headers that reveal too much (server fingerprinting)

Some headers actively hurt your security by giving attackers information about your server software:

Server: Apache/2.4.51 — Tells attackers exactly which server software and version you run, making it trivial to look up known CVEs.
X-Powered-By: PHP/8.0.3 — Reveals your backend language and version.
X-AspNet-Version — Reveals .NET version.

These headers should be removed or suppressed in production. They provide zero value to legitimate users and significant value to attackers.

How to add security headers to your site

Nginx: Add headers in your server or location block with add_header directives.
Apache: Use Header set in .htaccess or the main config.
Vercel / Netlify: Configure in vercel.json or netlify.toml respectively under the headers key.
Cloudflare: Use Transform Rules → Modify Response Headers in the dashboard.
Express / Node.js: Use the helmet middleware, which sets sensible defaults for all major security headers with one line.

← Back to all tools