HTTP Security Header Analyzer Tool - CSP HSTS X-Frame-Options Audit with Grade and Recommendations

First Published:
Last Updated:

This tool audits HTTP response security headers and assigns a letter grade with concrete, per-header recommendations. Paste the raw response head from your browser's DevTools or the output of curl -I https://example.com — the analyzer parses every line, evaluates each security header against the OWASP Secure Headers / MDN guidance, and explains how to harden each finding. This tool analyzes pasted headers only. It does not fetch the URL because of browser CORS restrictions.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your headers never leave your device.

  • This tool is provided "AS IS" without any warranties of any kind.
  • The author accepts no responsibility for incorrect grades or missed misconfigurations — always cross-check with multiple references before deploying changes to production.
  • Recommendations are general best practice; some directives (e.g. CSP 'unsafe-inline') may be required by your specific framework or third-party scripts.
  • This tool intentionally does not fetch URLs — CORS and authentication restrictions make in-browser fetching unreliable for production sites.
  • By using this tool, you accept full responsibility for any outcomes.

Privacy: This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no information is uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Tip: Ctrl/ + Enter runs the analysis. Editing pauses also re-run the audit automatically.

Features

  • Letter-graded score (A–F): Weighted across 10 security-relevant headers so a hardened response reaches 100 / A.
  • Directive-level CSP audit: Flags 'unsafe-inline', 'unsafe-eval', missing object-src 'none', missing base-uri, missing frame-ancestors, and wildcard sources.
  • HSTS strength check: Verifies max-age ≥ 1 year (31536000), and presence of includeSubDomains / preload.
  • X-Frame-Options & CSP frame-ancestors: Recognizes that frame-ancestors is the modern replacement and adjusts the verdict accordingly.
  • Cookie flag audit: Per Set-Cookie header, reports missing Secure, HttpOnly, SameSite, and the SameSite=None+Secure requirement.
  • Cross-origin isolation: Evaluates Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy against current spec values.
  • Curl & DevTools friendly: The parser strips status lines (HTTP/1.1 200 OK, HTTP/2 200) and handles RFC 7230 line folding.
  • Three example presets: Vulnerable, partial, and hardened header sets to demonstrate scoring differences instantly.
  • Plain-text report: One-click copy of a Markdown-style summary you can paste into tickets, code reviews, or runbooks.
  • Client-side only: No fetch, no upload — works offline once loaded.

How to Use

  1. Capture response headers from your target site:
    • Terminal: curl -I -L https://example.com (use -L if redirects are involved)
    • Browser: DevTools > Network tab > click the document > copy "Response Headers" as text
  2. Paste the headers into the textarea above. Status lines such as HTTP/2 200 are accepted and ignored automatically.
  3. Click Analyze Headers (or press Ctrl/+Enter). Editing pauses also re-run the audit.
  4. Review the grade, then read each per-header finding for the recommended value and remediation notes.
  5. Use Copy Report to grab a plain-text summary of all findings, or Load one of the example presets to compare against your own response.

Important Notes

  • The analyzer evaluates headers in isolation. Real-world security depends on the interaction between server config, application code, framework defaults (e.g. Rails, Next.js, Django middleware), and CDN edge rules — treat the grade as a starting point.
  • The CSP audit is structural: it spots high-risk directives but cannot determine whether your specific source allowlist is correctly scoped to your application's origins.
  • Strict-Transport-Security is only honored over HTTPS; sending it over plain HTTP is silently ignored by browsers per RFC 6797.
  • X-Frame-Options: ALLOW-FROM is obsolete — modern browsers ignore it. Use CSP frame-ancestors for per-origin framing rules.
  • Cookie auditing is per-header. If a server emits cookies via Cookie in requests or via JavaScript (document.cookie), those are not visible from response headers alone.
  • Cross-origin isolation (COOP: same-origin + COEP: require-corp) is required to enable SharedArrayBuffer and high-resolution timers; many sites can leave them unset without functional impact.
  • Recommended values reflect general best practice as documented by MDN, OWASP Secure Headers Project, and the relevant RFCs / W3C specs — verify them against your application's requirements before deploying.
  • This tool intentionally does not fetch URLs. Browser CORS rules block reading response headers from arbitrary origins, so a paste-based workflow is the only reliable approach in pure client-side JavaScript.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi