Seotoolsdesk.com
Bulk • Redirect-aware • Exportable

HTTP Security Headers Checker

Check common security headers on the final destination URL after redirects. Paste up to 20 URLs and export your report.

Paste URLs (max 20)
Notes: Some servers block bots or strip headers for non-browser requests. Results are best-effort.

Results

Input Final URL HTTP Grade HSTS CSP XFO XCTO Time
Run an analysis to see results here.
Tip: Missing headers aren’t always “broken”, but they’re common hardening wins.

Quick interpretation

These headers reduce common web risks: clickjacking, XSS, MIME sniffing, data leaks.

  • HSTS enforces HTTPS
  • CSP helps prevent XSS
  • XFO clickjacking protection
  • XCTO blocks MIME sniffing
Security hardening

HTTP security headers checker: audit your header policy

This tool scans response headers and highlights missing or weak security directives. Use it to catch easy wins before deeper security testing.

What this tool checks

  • Strict-Transport-Security (HSTS) — forces HTTPS after the first secure visit.
  • Content-Security-Policy (CSP) — reduces XSS impact and controls content sources.
  • X-Frame-Options / frame-ancestors — helps prevent clickjacking.
  • X-Content-Type-Options — blocks MIME sniffing.
  • Referrer-Policy — limits referrer leakage.
  • Permissions-Policy — restricts powerful browser features.

How to use

  • Paste up to 20 URLs.
  • Run analysis; the checker follows redirects and evaluates the final response.
  • Export CSV or copy the summary to a spreadsheet.

FAQ

What are HTTP security headers?

HTTP security headers are response directives that harden a website in browsers. They help reduce common risks like clickjacking, XSS impact, MIME sniffing, and accidental data leakage via referrers.

Why does this tool follow redirects?

Security headers must be checked on the final destination URL, because that’s what the browser actually uses. Many sites redirect from http → https or to a canonical host, and headers can change across hops.

Why can results differ from browser DevTools?

CDNs and WAFs can vary headers by user-agent, country, or cache. Also, bot protection can block or rewrite responses. This checker uses a server-side request and reads the final response headers best-effort.

Is “missing” always a problem?

Not always. Some headers are optional and can break functionality if applied blindly. But missing CSP, HSTS (on HTTPS), and clickjacking protections is often a real hardening gap.

Which headers matter the most?

Common “big wins” are: Strict-Transport-Security (HTTPS enforcement), Content-Security-Policy (XSS mitigation), X-Frame-Options / frame-ancestors (clickjacking), X-Content-Type-Options (nosniff), and Referrer-Policy (data leakage control).

Why is HSTS “warn” on HTTP URLs?

HSTS is only effective when delivered over HTTPS. If you check an http:// URL, the tool warns because HSTS can’t protect the first insecure request.

What does “CSP contains unsafe-inline/unsafe-eval” mean?

Those keywords weaken CSP because they allow inline scripts or eval-like behavior, which are common XSS vectors. Sometimes they’re needed for legacy code, but it’s better to replace them with nonces/hashes if possible.

Why is X-XSS-Protection marked as deprecated?

Modern browsers no longer rely on X-XSS-Protection. Some even ignore it. Real XSS protection today is mainly about proper output escaping and a strong Content-Security-Policy.

Does a good grade mean the site is secure?

No. This tool only audits headers. Security also depends on code quality, authentication, server configuration, dependency vulnerabilities, and real testing. Use this as a quick hardening checklist, not a guarantee.

Why do some sites show fewer headers on errors or redirects?

Some servers add headers only on 200 responses, or forget to add them on redirects and error pages. Ideally, key protections should be consistent across all responses (especially redirects to HTTPS).