Security Headers Audit
Diagnose security headers and policies in your browser. No input is sent to a server. Use it for first-pass checks before rollout.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste response headers and click “Audit”. It shows security header presence and warnings.
Notes (this tool)
- A present header with weak values provides limited protection. Validate directive values too.
- There are functional trade-offs. Use staged rollout (e.g., Report-Only) to assess impact.
About this page
What does this tool do?
Checks key security headers at once and highlights missing items and warnings.
Debugging workflow (recommended)
- Paste response headers to audit
- Use individual Inspect tools for details
- Prioritize CSP/HSTS/Permissions-Policy fixes
Recommendations (practical)
- Prioritize CSP and HSTS
- Use Permissions-Policy to disable unused features
- Use Referrer-Policy / X-Frame-Options for leakage/clickjacking
Related tools
- CSP Inspect
- HSTS Inspect
- Permissions-Policy Inspect
- Referrer-Policy Inspect
- X-Frame-Options Inspect
What this tool does
- List presence of key security headers
- Warn about common risky combinations
Operational notes
- Recommended values are environment-dependent. Validate against functional requirements before applying.
- In production, use phased rollout with report monitoring.
Referenced specs
- MDN: Security headers
- RFC 9110 (HTTP Semantics)
FAQ
Why can a site still be unsafe even when headers exist?
Presence alone is not enough; value quality matters. Weak CSP or short HSTS can still leave exploitable gaps.
Can I apply recommendations directly to production?
Use phased rollout. Start with Report-Only or scoped paths, verify impact, then expand coverage.
References
Page-specific case studies
Use this page to inventory missing or weak security headers and prioritize risk reduction.
- Check presence of CSP, HSTS, X-Frame-Options, and Referrer-Policy.
- Assess whether values meet recommended security levels.
- Verify final response values are consistent across CDN and app.
Page-specific implementation checklist
- Include audit output in periodic security reviews.
- Introduce missing headers in risk-priority order.
- Manage security exceptions with explicit expiry dates.
- Standardize audit criteria across environments.
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- Security Headers Recommendation — Suggest recommended values for missing headers
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Inspect — Parse and evaluate CSP directives
- HSTS Inspect — Parse HSTS to verify HTTPS enforcement
- Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
- X-Frame-Options Inspect — Parse X-Frame-Options to validate clickjacking protection
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff
- How to Diagnose JS/CSS Blocks from nosniff Mismatch — Trace Content-Type vs nosniff mismatches, fallback responses, and delivery-layer rewrites
Same-theme links
Security Headers
Go from missing-header detection to concrete fix planning
- Security Headers Recommendation — Suggest recommended values for missing headers
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values
- CSP Builder — Build CSP policies from templates
- CSP Report Analyzer — Analyze CSP report JSON and summarize violation patterns
- CSP Inspect — Parse and evaluate CSP directives
- HSTS Inspect — Parse HSTS to verify HTTPS enforcement
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
- Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
- X-Frame-Options Inspect — Parse X-Frame-Options to validate clickjacking protection
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff