Does this tool make a request to the URL?

No. It only parses the header text you paste. It never connects to any server, so it works for internal or authenticated responses you have already captured.

How do I get a site's response headers?

Run curl -I https://example.com in a terminal, or open your browser's developer tools, go to the Network tab, click the document request, and copy the Response Headers section.

What headers does it score?

Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options or CSP frame-ancestors, Referrer-Policy, Permissions-Policy, Cache-Control, and Server version disclosure.

Why does my CSP only earn partial points?

If your Content-Security-Policy contains 'unsafe-inline' or 'unsafe-eval', it permits inline scripts that defeat much of CSP's XSS protection, so the analyzer awards a reduced score and flags it.

Is a perfect score required?

No. The grade is a guide, not a mandate. Some headers like Permissions-Policy depend on what a site actually uses. Treat warnings as prompts to consider, and missing security headers as items to prioritise.

HTTP Response Header Analyzer

HTTP response headers carry instructions from a server to the browser about security, caching, and content handling. A handful of these headers are the front line against attacks like cross-site scripting, clickjacking, and protocol downgrade. This free analyzer scores a pasted header block so you can see your security posture at a glance — without any request being made.

How it works

The tool splits your pasted text into lines, skips any HTTP/... status line, and parses each Header-Name: value pair (case-insensitive, repeated headers comma-joined). It then runs a fixed rubric:

Content-Security-Policy earns full points when present and clean, and reduced points if it contains 'unsafe-inline' or 'unsafe-eval'.
Strict-Transport-Security earns full points when max-age is at least about 180 days.
X-Content-Type-Options must be nosniff.
X-Frame-Options or a CSP frame-ancestors directive protects against clickjacking.
Referrer-Policy, Permissions-Policy, and Cache-Control are checked for presence.
A Server header that leaks a version number is flagged as information disclosure.

Each check contributes weighted points; the total is converted to a percentage and a letter grade from A to F.

Tips and notes

The fastest way to capture headers is curl -sI https://example.com. Aim to ship CSP and HSTS first — they protect against the highest-impact attacks. Remember that a strong CSP without 'unsafe-inline' requires nonces or hashes for any inline scripts, so plan for that when tightening the policy.