Analyze HTTP response headers and security posture for any URL. Check CSP, HSTS, X-Frame-Options and more with a scored security grade and fix recommendations.
Enter a URL above and click Check Headers to analyze HTTP response headers.
Checks: CSP · HSTS · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy · COOP · CORP · Cookie Flags
TechOreo's HTTP Header Checker fetches and displays all HTTP response headers for any URL, then runs a full security audit across 8 critical headers:
CSP and HSTS carry 15 points each; the other six headers carry 10 points each (base total: 90 points). Bonus points (up to 5 per header) reward best-practice values — for example, HSTS with includeSubDomains or a CSP without unsafe-inline. Missing headers show specific recommended values to add.
CSP restricts which scripts, styles, images, and iframes may load — the primary XSS defence. A minimal starting policy is default-src 'self'. Avoid 'unsafe-inline' in script-src as it permits arbitrary inline JavaScript and largely defeats CSP's protection against script injection.
HSTS forces browsers to always use HTTPS for the max-age duration (seconds). The recommended value is max-age=31536000; includeSubDomains; preload — one year, all subdomains, and eligible for browser preload lists so protection applies even on a user's first-ever visit to the domain.
strict-origin-when-cross-origin sends the full URL only for same-origin requests and just the origin for cross-origin, preventing path and query-string leakage. Permissions-Policy should explicitly deny APIs not in use: camera=(), microphone=(), geolocation=() to limit browser API exposure in embedded content.
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages accessing your window via window.opener. Cross-Origin-Resource-Policy: same-origin blocks other origins loading your assets, mitigating Spectre attacks. For session cookies always set: Secure (HTTPS only), HttpOnly (no JS access), SameSite=Strict (no cross-site transmission).
default-src 'self'; script-src 'self' and avoids 'unsafe-inline', which permits arbitrary inline scripts and largely defeats CSP's XSS protection.max-age=31536000 enforces this for one year. Adding includeSubDomains extends the protection to all subdomains. HSTS prevents protocol downgrade attacks and cookie hijacking over unencrypted HTTP connections.frame-ancestors directive offers more granular control in modern browsers.includeSubDomains on HSTS or a CSP without unsafe-inline. Grades: A+ ≥ 95, A ≥ 85, B ≥ 70, C ≥ 50, D ≥ 30, F < 30.strict-origin-when-cross-origin sends only the origin for cross-origin requests and nothing on HTTPS-to-HTTP downgrades.X-Content-Type-Options: nosniff prevents browsers from guessing (MIME-sniffing) a response's content type. Without it, a browser might execute a file declared as text/plain as JavaScript if it detects script content. This header forces the browser to honour the declared Content-Type strictly, preventing content-injection attacks.