HTTP Header Inspector
Fetch any URL and inspect every response header with plain-English explanations. Get a security score and see exactly which headers are missing.
Understanding HTTP security headers
HTTP response headers are instructions your server sends to browsers alongside every response. Security headers tell browsers how to handle your content: whether to allow iframing (X-Frame-Options), whether to sniff MIME types (X-Content-Type-Options), how long to remember to use HTTPS (Strict-Transport-Security), and what scripts are allowed to run (Content-Security-Policy). Browsers enforce these instructions automatically — no JavaScript needed.
The most important header missing from most sites is Content-Security-Policy. A well-configured CSP prevents cross-site scripting (XSS) attacks by defining exactly which script sources, image sources, and connection endpoints are allowed. A strict CSP with no 'unsafe-inline' means even if an attacker injects a script tag, the browser will refuse to run it. CSP alone eliminates the most common class of web vulnerabilities.
Permissions-Policy (formerly Feature-Policy) is the most overlooked header. It controls whether embedded iframes and third-party scripts can access the camera, microphone, geolocation, payment APIs, and more. Even if your code doesn't use these features, third-party ad or analytics scripts embedded on your page might — and without Permissions-Policy, they can do so silently. Set it to deny all unused features: camera=(), microphone=(), geolocation=().