Toolypet
SECURITY TOOL

Security Headers Checker

Analyze HTTP security headers with severity ratings, implementation status, and actionable recommendations. Demo tool for UI demonstration purposes.

Enter a full URL including the protocol (https://)

This is a demo tool that generates sample security header analysis for UI demonstration purposes. No actual network requests are made.

Enter a URL to analyze its security headers

HTTP Security Headers: Defense Without Code Changes

The Critical Four

Four headers address the most exploited web vulnerabilities: Content-Security-Policy prevents XSS by allowlisting script sources (OWASP #3 vulnerability). Strict-Transport-Security (HSTS) prevents SSL stripping attacks by forcing HTTPS for all future visits. X-Content-Type-Options: nosniff prevents browsers from misinterpreting file types (e.g., treating a text file as executable JavaScript). X-Frame-Options prevents clickjacking by blocking iframe embedding. Implementing just these four headers eliminates the majority of common attack vectors.

HSTS and the Preload List

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HSTS tells browsers to only connect via HTTPS for the specified duration. max-age=31536000 sets this for 1 year. includeSubDomains applies it to all subdomains. preload submits your domain to the HSTS Preload List, which is hardcoded into Chrome, Firefox, Safari, and Edge. Once preloaded, your domain uses HTTPS even on the very first visit, before any HTTP request is made. Over 300,000 domains are currently preloaded. Note: removal from the preload list takes months — only add it when you're certain HTTPS works everywhere.

Cross-Origin Isolation

Three newer headers work together to fully isolate your page: Cross-Origin-Opener-Policy (COOP) prevents other windows from accessing your window.opener reference. Cross-Origin-Embedder-Policy (COEP) ensures all cross-origin resources explicitly opt into being loaded. Cross-Origin-Resource-Policy (CORP) controls which origins can embed your resources. Together (COOP: same-origin + COEP: require-corp), they enable crossOriginIsolated mode, unlocking high-resolution timers and SharedArrayBuffer while preventing Spectre-class side-channel attacks.

Permissions-Policy: Feature Control

Permissions-Policy: camera=(), microphone=(), geolocation=() explicitly disables browser APIs your site doesn't use. This prevents embedded third-party scripts from secretly accessing the camera, microphone, or location. It also blocks feature exploitation in cross-origin iframes. Each feature can be set to self (only your origin), specific origins, or empty ()to disable entirely. The security principle: if your site doesn't need a feature, explicitly deny it.

Frequently Asked Questions

Where should I configure security headers?

The best place depends on your stack. Nginx: add_header X-Frame-Options DENY always; Apache: Header always set X-Frame-Options DENY CDN: Cloudflare, Vercel, and AWS CloudFront all support custom response headers. Application: Next.js uses next.config.js headers(), Express uses helmet.js. Prefer server/CDN-level configuration so headers apply even to static assets and error pages.

Why is X-XSS-Protection marked as “low” severity?

X-XSS-Protection activated a browser built-in XSS filter, but it was found to introduce new vulnerabilities in some edge cases. Chrome removed the XSS Auditor in version 78 (2019), and the header is effectively ignored by all modern browsers. The recommended value is X-XSS-Protection: 0 to explicitly disable any legacy filter. Use Content-Security-Policy for XSS protection instead.

How do I test headers without deploying to production?

Use staging environments with the same server configuration. For CSP specifically, use the Content-Security-Policy-Report-Only header to log violations without blocking content. Browser DevTools (Network tab → Response Headers) show exactly what headers each response includes. Security header scanners like securityheaders.com provide instant grading. Always test with multiple page types (homepage, API endpoints, static assets) as headers may differ by route.