b2KIT

Security Headers Analyzer

Scan any URL and grade its HTTP security headers including HSTS, CSP, X-Frame-Options, and more.

Content-Security-Policycritical

Controls which resources the browser is allowed to load. Prevents XSS and data injection attacks.

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; object-src 'none'; frame-ancestors 'none'
Strict-Transport-Securitycritical

Forces browsers to use HTTPS. Prevents protocol downgrade attacks and cookie hijacking.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Optionscritical

Prevents browsers from MIME-sniffing a response away from the declared content type.

X-Content-Type-Options: nosniff
X-Frame-Optionshigh

Prevents clickjacking by controlling whether the page can be embedded in iframes.

X-Frame-Options: DENY
Referrer-Policyhigh

Controls how much referrer information is included with requests. Prevents leaking sensitive URLs.

Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policyhigh

Controls which browser features (camera, microphone, geolocation, etc.) are allowed.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
X-XSS-Protectionmedium

Legacy XSS filter (now deprecated in modern browsers in favor of CSP). Still useful for older browsers.

X-XSS-Protection: 0
Cross-Origin-Opener-Policymedium

Isolates the browsing context to prevent cross-origin attacks like Spectre.

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policymedium

Prevents other origins from loading your resources. Protects against Spectre-like attacks.

Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Embedder-Policymedium

Controls whether the document can load cross-origin resources without explicit permission.

Cross-Origin-Embedder-Policy: require-corp

Security headers are HTTP response headers that enhance website security. Due to browser CORS restrictions, we cannot fetch headers directly. Copy your response headers from browser DevTools (Network tab) or usecurl -I https://example.com in your terminal.

How to Use Security Headers Analyzer

  1. 1

    Enter a URL

    Type the website URL you want to check security headers for.

  2. 2

    Run the analysis

    Click analyze to scan the response headers of the URL.

  3. 3

    Review the report

    See which security headers are present, missing, or misconfigured.

Related Tools

Password Generator

Generate strong, random passwords with customizable length, character sets, and complexity requirements.

Password Strength Checker

Analyze password strength with entropy scoring, crack-time estimates, and improvement suggestions.

Random String Generator

Create cryptographically random strings for API keys, tokens, salts, and unique identifiers.

QR Code Generator

Create QR codes for URLs, text, Wi-Fi credentials, vCards, and more with customizable size and colors.

QR Code Reader

Scan and decode QR codes from uploaded images or your device camera to extract embedded data.

File Checksum Calculator

Compute MD5, SHA-1, SHA-256, and SHA-512 checksums to verify file integrity and detect tampering.