🔍 /

HTTP Headers Checker (Parser/Analyzer)

Enterprise-grade HTTP header analysis tool. Audits security policies (CSP, HSTS), detects deprecated configurations, and generates server-hardening snippets for Nginx/Apache.

User Rating 0.0
Total Usage 1 times
Category Network Utilities
Database: ... definitionsEngine: v2.5.0 (Strict)
Is this tool helpful?

Your feedback helps us improve.

About

In the modern web ecosystem, HTTP headers are the first line of defense against sophisticated attack vectors. While the response body carries the data, the headers define the rules of engagement between the browser and the server. A single misconfiguration can expose an application to Cross-Site Scripting (XSS), Clickjacking, or SSL Stripping.

This tool is not a simple parser; it is a comprehensive auditing engine. It evaluates your security posture against industry benchmarks (OWASP, Mozilla Observatory), dissects complex directives like Content-Security-Policy, and mathematically verifies time-based security contracts like HSTS. It is designed for Systems Architects and Security Engineers who demand precision over approximation.

security audit http headers csp generator hsts validator devops tools web hardening

Formulas

The security score is calculated using a weighted subtraction algorithm based on the severity of missing or misconfigured headers. The HSTS validity logic specifically requires the age to meet the preload list standard:

{
SAFE if age 31536000 subdomains = TRUERISK otherwise

When calculating cache lifetimes, we normalize all time units to seconds for comparison:

ttotal = Ni=1 ( vali × uniti )

Reference Data

HeaderSecurity FunctionCritical ThresholdsImpact Factor
Strict-Transport-SecurityEnforces HTTPS connectionmax-age 31536000Prevents Man-in-the-Middle (MitM) & SSL Stripping.
Content-Security-PolicyResource execution controlNo "unsafe-inline"; No "unsafe-eval"The primary defense against XSS (Cross-Site Scripting).
X-Frame-OptionsIframe controlDENY or SAMEORIGINBlocks Clickjacking / UI Redress attacks.
Referrer-PolicyData leakage controlstrict-origin-when-cross-originPrevents leaking user URLs to third-party analytics.
Permissions-PolicyBrowser feature API controlcamera=(), microphone=()Disables powerful APIs (cam, mic, geo) by default.
Set-CookieSession managementSecure; HttpOnly; SameSite=StrictPrevents Session Hijacking and XSRF.
X-Content-Type-OptionsMIME type enforcementnosniffPrevents Drive-by-download attacks via MIME sniffing.
Cache-ControlData persistenceno-store, privateEnsures sensitive data is not stored in shared caches.

Frequently Asked Questions

Presence is not enough. If your CSP contains "unsafe-inline" or "unsafe-eval", it effectively bypasses the protections against XSS. A robust CSP works on an allowlist basis, denying everything by default.
X-Frame-Options is the legacy method. CSP "frame-ancestors" is the modern standard. While modern browsers prioritize CSP, best practice dictates sending both to ensure protection for older user agents.
This is known as "Banner Grabbing". If an attacker knows you are running "Apache 2.4.49", they can specifically target known CVEs for that version. Security through obscurity is not a defense, but obscuring footprint slows down automated attacks.
To be included in the browser's hardcoded "Preload List", your HSTS header must have a max-age of at least 1 year (31536000 seconds), include subdomains, and contain the "preload" directive.
The tool cannot write to your server, but the "Config Generator" tab provides ready-to-paste snippets for Nginx, Apache, and standard .htaccess files based on the vulnerabilities detected.