Security Header Analyzer
Paste your HTTP response headers and get an instant A–F security grade. Checks 15 security headers including HSTS, CSP, COOP, and more — entirely in your browser.
Paste HTTP response headers to analyze security posture
How It Works
Get Your Headers
Enter a URL to generate a curl command, or copy response headers from your browser DevTools Network tab.
Instant Analysis
All 15 security headers are checked entirely in your browser. Nothing is sent to any server — your data stays on your device.
Get Your Grade
See an A–F grade with per-header pass/partial/fail status and actionable recommendations you can copy as Markdown.
FAQ
Are my headers sent anywhere?
No. All analysis runs in your browser using JavaScript. Your headers never leave your device.
Why can’t the tool fetch headers automatically?
Browser CORS restrictions prevent JavaScript from reading response headers from arbitrary domains. The curl approach lets you get the full headers locally and paste them here for analysis.
What counts as a “partial” pass?
A partial pass means the header is present but not configured optimally. For example, an HSTS header without includeSubDomains, or a CSP that uses unsafe-inline. Partial passes count as half a point toward your grade.
How is the grade calculated?
Each of the 15 headers scores 1 point for a pass and 0.5 for a partial. Grade A requires 13+ points, B is 10–12, C is 7–9, D is 4–6, and F is below 4.
Stay ahead of security updates
Track web server releases, security patches, and CVEs — delivered straight to your inbox when new versions land.