browserutils

Security Headers Checker

Check and analyze HTTP security headers

Security Headers Checker is a free online tool from BrowserUtils that check and analyze http security headers. It runs entirely in your browser — your data never leaves your device. No account required.

Content-Security-Policy
critical

Controls which resources the browser can load. Mitigates XSS and data injection attacks.

Recommended: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
Strict-Transport-Security
critical

Forces HTTPS connections. Prevents protocol downgrade attacks and cookie hijacking.

Recommended: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options
high

Prevents MIME-type sniffing. Reduces drive-by download attacks.

Recommended: nosniff
X-Frame-Options
high

Controls whether the page can be embedded in iframes. Prevents clickjacking.

Recommended: DENY
X-XSS-Protection
low

Legacy XSS filter for older browsers. Modern browsers rely on CSP instead.

Recommended: 0
Referrer-Policy
medium

Controls how much referrer information is shared with other sites.

Recommended: strict-origin-when-cross-origin
Permissions-Policy
medium

Controls browser features like camera, microphone, geolocation.

Recommended: camera=(), microphone=(), geolocation=()
Cross-Origin-Opener-Policy
medium

Isolates browsing context. Prevents Spectre-like side-channel attacks.

Recommended: same-origin
Cross-Origin-Resource-Policy
medium

Controls which origins can load your resources.

Recommended: same-origin
Cross-Origin-Embedder-Policy
low

Controls embedding of cross-origin resources. Required for SharedArrayBuffer.

Recommended: require-corp

Related guides

GlossaryWhat is CORS?GlossaryWhat is CSP?GlossaryWhat is SSL/TLS?

How to use Security Headers Checker

  1. 1 Paste or type your input into the editor above.
  2. 2 The tool processes your data instantly — right in your browser, with nothing sent to a server.
  3. 3 Copy the result with one click or continue editing your input.

About Security Headers Checker

Free online security headers checker. Analyze HTTP response headers for security best practices including CSP, HSTS, X-Frame-Options, and more. This tool runs entirely in your browser — your data is never sent to a server. Just paste your input, get instant results, and copy with one click. No sign-up or installation required.

Security Headers Checker specs

Runtime
100% client-side (browser)
Cost
Free — no account, no rate limits, no usage caps
Browser support
Chrome 90+, Firefox 88+, Safari 14+, Edge 90+
Part of
299 developer tools on BrowserUtils (100% client-side)

Questions

Which security headers are most important?
Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS) are the most critical. CSP prevents XSS and injection attacks, while HSTS ensures all connections use HTTPS. X-Content-Type-Options and X-Frame-Options are also high priority for preventing MIME sniffing and clickjacking.
How do I get my response headers to paste here?
Open your browser DevTools (F12), go to the Network tab, reload your page, click on the main document request, and look at the Response Headers section. You can copy the headers from there. Alternatively, use curl -I https://yoursite.com in your terminal.
What does the Strict-Transport-Security (HSTS) header do?
HSTS tells browsers to only connect to your site over HTTPS for a specified duration. Once a browser sees this header, it will refuse to load your site over plain HTTP, protecting users from downgrade attacks and SSL stripping.
Does the security headers checker scan my live website?
No. You paste your HTTP response headers into the tool and it analyzes them locally in your browser. It does not make any requests to your server.
What is the X-Frame-Options header used for?
X-Frame-Options prevents your site from being embedded in an iframe on another domain, which protects against clickjacking attacks. Set it to DENY to block all framing, or SAMEORIGIN to allow framing only by your own domain.
Embed this tool

Copy this code to embed the tool on your website. Adjust the height to fit your layout.

<iframe src="https://www.browserutils.dev/embed/security-headers-checker" width="100%" height="500" frameborder="0" title="Security Headers Checker"></iframe>

Related tools

CSP Header Generator
Generate Content Security Policy headers
CORS Tester
Test CORS configuration by making fetch requests

More Security & Privacy

robots.txt GeneratorCSP Header GeneratorChmod Calculator.htpasswd GeneratorSSH Key GeneratorSRI Hash GeneratorPGP Key GeneratorPassword Strength Checker
View all Security & Privacy tools