How do I check my website's security headers?

You can check your security headers by: (1) Using this analyzer — paste raw headers from browser DevTools (Network tab → click a request → copy Response Headers), (2) Using curl: curl -I https://yoursite.com and pasting the output. The analyzer will give you an A+ to F grade and explain each header.

What security score should my site aim for?

Aim for at least a B grade (70+ points), with A (85+) being ideal for production sites. An A+ (95+) requires all major security headers including CSP, HSTS with preload, Referrer-Policy, Permissions-Policy, and the three Cross-Origin headers. Most production websites should target A or better.

All tools

🔒

HTTP Security Headers Analyzer

Paste HTTP response headers, get an A+ to F security grade, detect vulnerabilities, and generate server configs

100% in-browserNo signupFree forever

Load an example

HTTP Response Headers

Tip: DevTools → Network → any request → Response Headers

Weak

Security Score45/100

Secure

Warnings

Missing

Critical missing headers

Referrer-Policy Permissions-Policy

Share Your Feedback

Tell us what's working, what's broken, or what you wish we built next — it directly shapes our roadmap.

You make the difference

Good feedback is gold — a rough edge you hit today could be smoother for everyone tomorrow.

Feature ideas often jump the queue when lots of you ask.
Bug reports with steps get fixed faster — paste URLs or examples if you can.
Name and email are optional; we won't use them for anything except replying if needed.

Stay Updated

Get the latest tool updates, new features, and developer tips delivered to your inbox.

What you'll get

Product updates & new tools
JSON, API & developer tips
Unsubscribe anytime — no hassle

Get in touch

Feature ideas, bugs, or a quick thanks — we read every message.

support@unblockdevs.com

HTTP Security Headers Analyzer — Grade Your Server's Security

HTTP response headers are the first line of defense for any web application. Security headers likeContent-Security-Policy, Strict-Transport-Security, X-Frame-Options, andX-Content-Type-Options tell browsers how to safely handle your content — blocking XSS attacks, preventing clickjacking, enforcing HTTPS, and stopping MIME type sniffing.

This analyzer parses raw HTTP response headers and gives you an instant security grade from A+ to F. Each header gets an individual assessment: ✅ secure, ⚠️ needs improvement, or ❌ missing. The Config Generator tab produces ready-to-paste server configurations for Express.js, Nginx, and Apache.

How it works

Analyze Your Headers in 30 Seconds

Grab your headers

Open DevTools → Network → any request → Response Headers. Or run curl -I https://yoursite.com in your terminal.

Paste & analyze

Paste the raw header block and click Analyze. The tool parses every header and runs security checks instantly.

Read your grade

Get an A+ to F letter grade with per-header details: what it does, current value assessment, and recommended value.

Fix with config

Switch to Config Generator and copy production-ready Express.js, Nginx, or Apache config to fix all missing headers.

Use cases

Who Uses HTTP Headers Analysis

🔒

Security audits

Quickly audit your app before launch or as part of regular security reviews.

⚡

Penetration testing

Identify missing security headers as part of a pentest or vulnerability assessment.

🚀

DevOps hardening

Generate Nginx/Apache config blocks to add missing headers to your server setup.

📋

Compliance checks

Verify headers required for OWASP Top 10 compliance and security benchmarks.

🧑‍💻

Backend development

Confirm your Express.js/Next.js app is serving all required security headers.

🎓

Learning web security

Understand what each header does and how it protects users from specific attack vectors.

FAQ

Frequently Asked Questions

1Why is my security headers grade failing even though my site works correctly?

A working site and a secure site are not the same thing. Missing headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options do not break functionality — they leave users exposed to XSS, clickjacking, and SSL stripping attacks that work silently. Paste your headers into this analyzer to get a grade and see exactly which headers to add.

2How do I get my site's response headers?

Open Chrome/Firefox DevTools (F12) → Network tab → click any request → scroll to "Response Headers". Or use curl: curl -I https://yoursite.com. Copy the output and paste it into this analyzer.

3Why does my Content-Security-Policy break my site when I add it?

CSP blocks scripts, styles, and resources that don't match your policy — including inline scripts, Google Fonts, CDN-hosted libraries, and analytics tags. Start with Content-Security-Policy-Report-Only to log violations without blocking, then tighten the policy incrementally. Avoid 'unsafe-inline' and 'unsafe-eval' — they make CSP nearly useless.

4How do I stop my site from loading over HTTP even when users type the URL without https?

Add the Strict-Transport-Security header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. This tells browsers to always use HTTPS for your domain for the next year. Adding includeSubDomains protects all subdomains, and preload gets your domain in browsers built-in HTTPS preload lists.

5How do I check HTTP response headers?

Open Chrome or Firefox DevTools (F12), go to the Network tab, click any request, and scroll to the Response Headers section. Alternatively, run curl -I https://yoursite.com in the terminal. Paste the output into this analyzer for an instant security grade and per-header breakdown.

6What security headers should every website have?

Every production website should have at minimum: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options (or CSP frame-ancestors), X-Content-Type-Options: nosniff, and Referrer-Policy. Adding Permissions-Policy and the Cross-Origin headers (COOP, COEP, CORP) will push your score to A+.

7What does X-Frame-Options do?

X-Frame-Options prevents your page from being embedded in an iframe on another domain, protecting against clickjacking attacks. Use DENY to block all framing, or SAMEORIGIN to allow framing only from your own domain. The modern equivalent is the frame-ancestors directive inside Content-Security-Policy.

8How do I fix missing security headers?

Use the Config Generator tab in this analyzer to get ready-to-paste code for Express.js, Nginx, or Apache. For Node.js/Express, install the helmet package (npm install helmet) and add app.use(helmet()) — it sets most critical security headers automatically in one line.

9How do I add security headers to my Next.js or Express app without installing extra packages?

In Next.js, add a headers() function in next.config.js to set response headers for all routes. In Express, set headers in middleware before routes: res.setHeader('X-Frame-Options', 'DENY'). For a one-liner in Express, install helmet (npm install helmet) and add app.use(helmet()) — it sets the most critical security headers automatically. Use the Config Generator tab for copy-paste-ready config.

10How do I add custom headers in fetch/axios?

In fetch, pass headers in the options object: fetch(url, { headers: { 'Authorization': 'Bearer token' } }). In Axios, use axios.get(url, { headers: { 'Authorization': 'Bearer token' } }). For site-wide Axios defaults, set axios.defaults.headers.common['Authorization'] = 'Bearer token'.

11How do I inspect HTTP headers in Chrome DevTools?

Open DevTools with F12, click the Network tab, make a request or reload the page, then click any request in the list. Click the Headers tab in the right panel to see both Request Headers and Response Headers. Right-click to copy individual values or the full header block.

12What is the X-Content-Type-Options header?

X-Content-Type-Options: nosniff prevents browsers from MIME-sniffing a response away from the declared Content-Type. Without it, a browser might execute a text file as JavaScript if it appears script-like. This header is trivial to add and should be present on every web server with zero performance overhead.

Last updated: May 2026

Feedback for http_headers_analyzer

Tell us what's working, what's broken, or what you wish we built next — it directly shapes our roadmap.

You make the difference

Good feedback is gold — a rough edge you hit today could be smoother for everyone tomorrow.

Feature ideas often jump the queue when lots of you ask.
Bug reports with steps get fixed faster — paste URLs or examples if you can.
Name and email are optional; we won't use them for anything except replying if needed.

Stay Updated

Get the latest tool updates, new features, and developer tips delivered to your inbox.

What you'll get

Product updates & new tools
JSON, API & developer tips
Unsubscribe anytime — no hassle

Get in touch

Feature ideas, bugs, or a quick thanks — we read every message.

support@unblockdevs.com

HTTP Security Headers Analyzer

Share Your Feedback

Stay Updated

Get in touch

HTTP Security Headers Analyzer — Grade Your Server's Security

Analyze Your Headers in 30 Seconds

Grab your headers

Paste & analyze

Read your grade

Fix with config

Who Uses HTTP Headers Analysis

Frequently Asked Questions

More Security & Developer Tools

Feedback for http_headers_analyzer

Stay Updated

Get in touch