HTTP Header Analyzer
Professional Website Security Audit
Scan your website headers for security vulnerabilities, caching efficiency, and information leakage. Get a professional grade (A+ to F) and actionable advice to harden your server.
HTTP Header Analyzer
Scan any website to analyze security, caching, and infrastructure headers.
Security Scoring
Instant A+ to F grading based on security best practices and modern web standards.
Real-time Scan
Our high-performance scanner fetches and analyzes headers in milliseconds.
Expert Advice
Get actionable recommendations on how to fix missing or insecure header configurations.
Join Amazon and Flipkart Deals and products under 99 Telegram Channel: @atjust99
What This Tool Does
Enter a URL and get a breakdown of every HTTP response header the server sends back. The tool grades the security posture (A+ to F), flags missing headers, and explains what each one does. It's similar to securityheaders.com but with caching analysis and raw JSON export.
The scanner makes a real request through a backend proxy (to bypass browser CORS restrictions) and parses the response headers.
Security Headers That Matter
Not all security headers carry equal weight. The grading algorithm weights them by impact:
Critical: Content-Security-Policy (CSP)
CSP controls which resources the browser is allowed to load. A properly configured CSP is the strongest defense against XSS. The OWASP CSP cheat sheet (owasp.org/www-project-cheat-sheets) covers the directives in detail.
Without a CSP, you cannot score above a B in this tool.
A minimal starting policy:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
Critical: Strict-Transport-Security (HSTS)
Tells browsers to always use HTTPS for your domain. The max-age should be at least 31536000 (one year). Adding includeSubDomains protects subdomains. Adding preload lets you submit to the HSTS preload list maintained by Chrome and used by all major browsers.
High: X-Content-Type-Options
Set this to nosniff. Without it, browsers may try MIME-type sniffing on responses, which can turn a seemingly harmless file into an executable script. This is a one-line fix on any server.
High: X-Frame-Options
Prevents your site from being embedded in an iframe on another domain (clickjacking). Set to DENY or SAMEORIGIN. Note: CSP's frame-ancestors directive supersedes this header, but both should be set for backward compatibility with older browsers.
Medium: Referrer-Policy
Controls how much URL information the browser sends in the Referer header when navigating away. strict-origin-when-cross-origin is the recommended default — it sends the origin for cross-site requests but not the full path.
Medium: Permissions-Policy
Restricts which browser features your page can use: camera, microphone, geolocation, etc. Formerly called Feature-Policy. If your site doesn't use the camera, explicitly disabling it via Permissions-Policy: camera=() prevents any injected script from accessing it.
Information Leakage
The analyzer flags headers that reveal your server's technology stack:
- Server:
Apache/2.4.52 (Ubuntu)tells attackers exactly which CVEs to check - X-Powered-By:
ExpressorPHP/8.1gives away your framework - X-AspNet-Version: specific .NET version information
Removing or masking these doesn't make you secure on its own, but it raises the bar for casual reconnaissance. In Nginx: server_tokens off;. In Express: app.disable('x-powered-by').
Caching Analysis
Beyond security, the tool inspects caching headers:
- Cache-Control:
max-age,no-store,must-revalidate,publicvsprivate - ETag: whether the server supports conditional requests
- Expires: the older (HTTP/1.0) caching mechanism
Proper caching headers reduce server load and improve page speed. If you see no-cache on static assets, that's usually a misconfiguration.
Grading Methodology
The A+ to F grade uses a weighted point system:
| Grade | Point Range |
|---|---|
| A+ | 95-100 |
| A | 85-94 |
| B | 70-84 |
| C | 55-69 |
| D | 40-54 |
| F | 0-39 |
Points are awarded for the presence and correctness of each header, with CSP and HSTS having the highest multipliers. The presence of information leakage headers deducts points.
Frequently Asked Questions
Can I scan localhost or internal servers?
No. The scanner runs through a backend proxy that blocks private IP ranges and reserved hostnames for security. You need a publicly reachable URL. For local testing, use tools like curl -I directly.
Why did my site score lower than expected? Most commonly: missing CSP. Many sites have HSTS and X-Content-Type-Options configured but skip CSP because it's harder to set up. The tool explains exactly which headers are missing and why they matter.
Does the tool follow redirects? It analyzes the headers of the final response after redirects. If your site redirects from HTTP to HTTPS, the headers analyzed are those of the HTTPS response.
Is my URL stored or logged? No. The proxy forwards your request and returns the headers. Nothing is persisted.
What about the new Critical-CH header?
Critical-CH is a relatively new header for client hints. It's not part of the security grading yet, but the raw header view will show it if the server sends it. The same goes for emerging headers like Reporting-Endpoints and NEL (Network Error Logging).
Can I export the results? Yes. The raw headers are available as copyable JSON for use in scripts, reports, or CI pipelines.
Related Tools
- SSL Checker - Verify your TLS certificate chain
- JSON Validator - Validate API response data
- Sitemap Checker - Ensure secure pages are indexed
- Schema Converter - Type your API responses
Related Tools
Regex Playground - Live Regular Expression Tester & Debugger
Developer ToolsBuild, test, and debug regular expressions in real-time. Features live match highlighting, capture group visualization, and a comprehensive pattern library for JavaScript, Python, and more.
AI Acronym Finder: Instantly Decode Any Abbreviation
Developer ToolsStruggling with industry jargon? Our AI-powered Acronym Finder provides instant, context-aware definitions for any acronym or initialism. Get clear explanations and usage examples in seconds.
Code Screenshot Generator - Beautiful Code Snippet Images
Developer ToolsTransform your source code into stunning, professional screenshots. Choose from multiple editor themes, vibrant gradients, and macOS-style frames. Perfect for Twitter, LinkedIn, and blogs.
Color Palette Generator - Extract Colors From Image & Hex
Developer ToolsCreate professional color schemes in seconds. Extract palettes from images or generate them from hex codes with instant export to CSS, Tailwind, and Figma.
Cron Expression Builder - Visual Cron Schedule Generator
Developer ToolsCreate and test cron expressions visually. Generate human-readable schedules, preview upcoming run times, and use presets for Linux crontab and automation workflows.
HTML to Markdown Converter
Developer ToolsEffortlessly convert your HTML code into clean, readable Markdown with our free online tool. Perfect for developers, writers, and content managers.
Markdown Table Generator - Professional Online Table Editor
Developer ToolsCreate clean, aligned Markdown tables visually. Features spreadsheet-like editing, CSV/JSON imports, and instant export to Markdown, HTML, and CSV for GitHub and documentation.
Test MCP Server Online - Free Model Context Protocol Debugger
Developer ToolsExplore, test, and debug Model Context Protocol (MCP) servers with our advanced GUI. Discover available tools, execute methods with custom JSON arguments, and monitor real-time logs.
Random CSV Generator - Generate Structured CSV Data
Developer ToolsGenerate random CSV data with custom columns, data types, and export options. Create test data, sample datasets, and structured information for analysis and development.
Random TSV Generator - Generate Tab-Separated Values
Developer ToolsGenerate random TSV data with custom columns and data types. Create structured tab-separated files perfect for data analysis, spreadsheet applications, and simple data exchange.
Schema Converter - JSON to TypeScript & Zod Online
Developer ToolsTransform JSON instantly into TypeScript interfaces, Zod schemas, JSON Schema, or GraphQL types. Features recursive type inference and professional customization options.
SVG Editor & Optimizer - Professional Online Vector Tool
Developer ToolsEdit, clean, and optimize SVG files in real-time. Reduce file size, remove metadata, and preview vector changes instantly for faster web performance.