A security headers check that reads the real response
HTTP response headers are one of the cheapest and most effective layers of web hardening — a handful of headers can enforce HTTPS, block clickjacking, and constrain what scripts a page may run. This security headers check reads a site's actual response and lays out each known security header as present or absent, with its real value. Rather than hand you a single letter grade, it gives you the facts as a checklist, so you can measure a domain against whatever framework your organisation follows.
CSP validator and HSTS lookup in one
Two headers do most of the heavy lifting. Content-Security-Policy constrains where scripts, styles, and other resources may load from, and it's the main structural defence against cross-site scripting; used as a CSP validator, this tool shows you the exact policy and neutrally notes weak spots like unsafe-inline or a wildcard source. Strict-Transport-Security forces browsers onto HTTPS; used as an HSTS lookup, it surfaces the max-age, whether subdomains are included, and whether the domain opts into preloading. We report what the values literally contain — we don't guess at an overall score.
The full set of headers we check
Beyond CSP and HSTS, we check X-Frame-Options and X-Content-Type-Options (clickjacking and MIME-sniffing defences), Referrer-Policy and Permissions-Policy (privacy and feature controls), and the cross-origin isolation trio — Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. We also surface a couple of legacy headers like X-XSS-Protection and Expect-CT, clearly labelled as deprecated so you know they no longer do much. Each header comes with a plain description of what it does, and a factual count of how many core headers are present.
Why a checklist, not a grade
Security requirements are contextual: a bank and a static brochure site have very different needs, and a strict CSP that's essential for one is impractical for the other. A single letter grade would impose one opinion on every site and mislead as often as it helps — which is exactly why compliance engineers prefer the raw facts. So this tool stays factual: present or absent, the real value, and neutral observations where the value itself reveals something. You bring the standard; we bring the evidence.