May 11, 2026·web

HTTP Header Analyzer

Paste response headers, get a security score. CSP / HSTS / Permissions-Policy / X-Frame-Options parsed, missing headers flagged, directives explained in plain language.

http · security · csp · headers

Back to Labs

May 11, 2026·web

HTTP Header Analyzer

Paste response headers, get a security score. CSP / HSTS / Permissions-Policy / X-Frame-Options parsed, missing headers flagged, directives explained in plain language.

http · security · csp · headers

Paste your curl -I https://example.com output → out comes a security score, which header is missing or misconfigured, what each CSP directive actually does — at a glance.

HttpHeaderAnalyzer — security headers

56/100

response headers (her satır bir header)

What it checks

CSP (Content-Security-Policy) — directive-by-directive parse, unsafe-inline / unsafe-eval warnings, default-src 'self' baseline
HSTS (Strict-Transport-Security) — max-age minimum 6 months, includeSubDomains, preload
Permissions-Policy — geolocation/microphone/camera default deny
X-Frame-Options — clickjacking protection (CSP frame-ancestors is the modern alternative)
Referrer-Policy — strict-origin-when-cross-origin baseline
X-Content-Type-Options: nosniff — disables MIME sniffing

Usage

Run curl -I https://your-site.com, paste the header block above the body. The lab categorises each header, drops missing ones into a "missing" list, and flags very weak CSPs with a red banner.

Score

A 0-100 score similar to mozilla.observatory.dev, based on header coverage + strictness. 90+ is "production-ready", 70-89 "could improve", below 70 "work to do".