Passer au contenu principal

Security Headers Analyzer

Analyze HTTP security headers of any website: CSP, HSTS, X-Frame-Options and 9 more. A+→F grade with OWASP recommendations.

Examples: toolsmartly.com github.com mozilla.org cloudflare.com
The scan uses a public CORS proxy to bypass browser restrictions. Only public HTTP headers are read — no page content is sent.
Load example: ✅ Secure config ❌ Insecure config ⚠️ Partial config
↵ Enter to analyze
Enter a URL or paste your headers to get the security analysis.

Scan history

No scans yet.

Why are HTTP security headers important?

HTTP security headers are directives sent by the web server in the HTTP response, instructing the browser on how to handle page content. A misconfigured or absent header leaves the door open to XSS, clickjacking, content injection, MITM and session theft attacks. Their correct configuration is one of the first recommendations in the OWASP guide.

The most critical headers

Content-Security-Policy (CSP) is the most powerful header: it defines allowed sources for scripts, styles, images and iframes, effectively blocking XSS attacks. Strict-Transport-Security (HSTS) enforces HTTPS connections for a defined period, protecting against MITM attacks on HTTP connections.

Security grade A+ → F

Our analyzer assigns a score out of 100 based on the presence and configuration quality of 12 headers. Critical headers (CSP, HSTS) count more than secondary headers. An A+ grade means all required headers are present and correctly configured according to OWASP and Mozilla Observatory recommendations.

Frequently asked questions

Content-Security-Policy is the most powerful security header. It defines a whitelist of allowed sources for each type of resource (scripts, styles, images, ifra... Content-Security-Policy is the most powerful security header. It defines a whitelist of allowed sources for each type of resource (scripts, styles, images, iframes, fonts, network connections). A well-configured CSP effectively blocks XSS (Cross-Site Scripting) attacks by preventing unauthorized script execution. The directive default-src 'self' for example prohibits loading resources from third-party domains, except explicit exceptions.

Strict-Transport-Security (HSTS) tells the browser to always use HTTPS to connect to the site, for a duration defined by max-age. Without HSTS, a user visiting ... Strict-Transport-Security (HSTS) tells the browser to always use HTTPS to connect to the site, for a duration defined by max-age. Without HSTS, a user visiting http://example.com can be redirected to HTTPS, but this initial HTTP access is vulnerable to a MITM (Man-in-the-Middle) attack that intercepts the redirect. With HSTS, the browser refuses to establish any HTTP connection from the first access. The includeSubDomains option extends this protection to all subdomains.

X-Frame-Options is the old method to protect against clickjacking: it accepts DENY (blocks all iframes), SAMEORIGIN (allows only same domain) or ALLOW-FROM (dep... X-Frame-Options is the old method to protect against clickjacking: it accepts DENY (blocks all iframes), SAMEORIGIN (allows only same domain) or ALLOW-FROM (deprecated). CSP frame-ancestors is the modern, more flexible method: it supports multiple origins (frame-ancestors 'self' https://partner.com) and is supported by all modern browsers. It is recommended to use both for maximum compatibility with older browsers.

Use Manual input mode: open your browser developer tools (F12 → Network), reload the page, click the main request and copy the response headers. Paste them in t... Use Manual input mode: open your browser developer tools (F12 → Network), reload the page, click the main request and copy the response headers. Paste them in the manual input field. You can also use curl on the command line: curl -I https://example.com displays the HTTP response headers.

An A+ grade (score ≥ 95/100) means all critical security headers are present and correctly configured: CSP without unsafe-eval/unsafe-inline in script-src, HSTS... An A+ grade (score ≥ 95/100) means all critical security headers are present and correctly configured: CSP without unsafe-eval/unsafe-inline in script-src, HSTS with max-age ≥ 1 year and includeSubDomains, X-Frame-Options to DENY, X-Content-Type-Options to nosniff, and modern COEP/COOP/CORP headers for cross-origin isolation. This is the level achieved by sites like cloudflare.com or mozilla.org.

Tools in the same category

Password Generator IP Address Checker Phishing Link Checker Text Encryption UUID Generator Vérificateur de mot de passe

Popular tools

AI Alt Text Generator OCR Text Extractor Smart Hashtag Generator IP Address Checker Currency Converter 2026

Trending tools

Voltage Converter HTML Viewer Tax Calculator 2026 Amazon FBA Calculator
Lien copié !