Security review
Check HSTS, CSP, framing protection, referrer policy, and related headers before or after a launch.
Documentation
Inspect final response headers, review security coverage first, and confirm cache, compression, and robots signals on a public URL.
Overview
Use HTTP Header Analyzer when you need one public-response audit that leads with security header coverage but still keeps transport and indexing signals in view.
Check HSTS, CSP, framing protection, referrer policy, and related headers before or after a launch.
Inspect the final response URL and status after redirects without reaching for browser tooling.
Confirm cache, compression, and robots directives while you review the same response.
Supported inputs
Walk through it
Workflow
Use this flow when you want the headers users and crawlers reach after redirects settle.
Workflow
Use this flow when you want to inspect the redirecting URL itself instead of the destination.
What you get
Core security headers are scored first so missing transport or framing protections are easy to spot.
The final URL, status, redirect count, cache behavior, compression, and robots signals are summarized together.
Every returned response header is shown in a stable, copy-ready format.
Avoid these mistakes
Only public URLs can be fetched. Internal or localhost targets are blocked.
Switch between first-hop and final-response mode when redirects might change the header set.
Use the checks as a practical baseline, then compare them to your own security requirements.
Glossary
This section translates the most technical labels on the page into plain language so you can interpret the output without opening another tab.
Content-Security-Policy, often shortened to CSP, tells the browser which sources are allowed for scripts, styles, frames, and other content. Teams use it to reduce the impact of injection bugs and to control embedding behavior.
HSTS stands for HTTP Strict Transport Security. It tells browsers to use HTTPS for future visits so users are less exposed to downgrade or mixed-scheme mistakes.
X-Frame-Options is an older framing control header. It tells browsers whether the page may be displayed inside a frame or iframe on another page.
frame-ancestors is the modern CSP directive for framing protection. It defines which parent pages, if any, are allowed to embed the current page.
Referrer-Policy controls how much URL information the browser shares with the next site when a user follows a link or loads a resource.
Permissions-Policy lets a site explicitly allow or deny access to browser features such as camera, microphone, geolocation, and similar capabilities.
nosniff is the important value for X-Content-Type-Options. It tells browsers not to guess a different file type than the one declared by the server.