Our free HTTP header analyzer checks a website’s HTTP response headers to evaluate security configuration, identify common vulnerabilities, and provide actionable recommendations. Security headers help protect against cross-site scripting (XSS), clickjacking, and SSL stripping by enforcing browser policies like Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS). Use this tool to audit your site after deployments, server migrations, CDN/WAF changes, or during regular security reviews.
Analyze HTTP Headers
HTTP Headers
Response headers reveal server behavior, caching, and security configuration.
Security Analysis
Find missing security headers and get actionable recommendations.
Implementation
Use the guides below to add headers in Nginx, Apache, IIS, or Node.
How to use the HTTP header analyzer
- Enter the URL you want to analyze (include https:// when possible).
- Click “Analyze Headers”.
- Review your score, missing headers, and recommended fixes.
- Apply changes on your web server or CDN/WAF and re-test.
Understanding your security score
Scores typically drop when critical protections are missing (HSTS, CSP, clickjacking defense) or when the response discloses unnecessary server details. A strong score usually means you’ve implemented a baseline of modern browser defenses.
Security headers explained (high impact)
- Strict-Transport-Security (HSTS): forces HTTPS and prevents SSL stripping.
- Content-Security-Policy (CSP): reduces XSS impact by restricting resource loading and script execution.
- X-Frame-Options / frame-ancestors: prevents clickjacking via iframe embedding restrictions.
- X-Content-Type-Options: prevents MIME sniffing attacks (use nosniff).
- Referrer-Policy: reduces leakage of sensitive URL paths and query strings.
Implementation guide (quick snippets)
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Apache
Header always set X-Content-Type-Options "nosniff"
Express (Node.js)
res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin")
Troubleshooting common issues
- If CSP breaks your site, start with report-only mode and whitelist required script/style sources gradually.
- If HSTS is missing, ensure HTTPS redirects are correct and the header is served on the final response.
- If headers differ between pages, your CDN/proxy may be adding/removing headers per-route—check rules and cache behavior.
Common Questions
What is an HTTP header analyzer?
An HTTP header analyzer fetches a URL and inspects its response headers. It helps you understand caching, server behavior, and security configuration (like CSP and HSTS).
Which security headers should every site have?
Most sites should use HSTS, X-Content-Type-Options, a clickjacking defense (X-Frame-Options or CSP frame-ancestors), a strong Content-Security-Policy, and a Referrer-Policy. Additional headers depend on your app.
Why is my security score low if my site seems fine?
A low score doesn’t mean your site is currently hacked. It means key defenses are missing or misconfigured, which increases risk for common attacks like XSS and clickjacking.
Can adding CSP break my site?
Yes. CSP can block scripts/styles if configured too strictly. Start with report-only mode, review violations, then tighten your policy gradually.
How often should I check security headers?
Recheck after deployments, server migrations, CDN/WAF changes, and at least quarterly. Some headers can be removed unintentionally by proxies or misconfigured middleware.
Related tools
- SSL Checker — verify TLS configuration and expiry
- Website Status Checker — confirm the site is reachable before analyzing
- DNS Records Lookup — troubleshoot DNS/redirect issues