Application Security
Security Header Checker
Paste HTTP response headers to validate security header presence, correct values, and flag missing or misconfigured headers.
No data is transmitted — everything runs locallyTool
About this tool
Security Header Checker
The Security Header Checker validates HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, COOP, COEP, Referrer-Policy, and Permissions-Policy header correctness.
• Audit security headers before a penetration test engagement
• Check whether HSTS includeSubDomains is set before submitting to the preload list
• Validate COOP and COEP headers before enabling SharedArrayBuffer
• Identify deprecated security headers that should be replaced with modern equivalents
Affiliate disclosure
Credential and secrets management for teams. 1Password provides enterprise password management and secrets infrastructure for development teams.
View web credentials with 1Password
External site · Independent provider · We may receive a commission · Not a recommendation
FAQ
What does this tool tell you?
The Security Header Checker validates HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, COOP, COEP, Referrer-Policy, and Permissions-Policy header correctness.
What affects the result most?
X-Frame-Options: DENY or SAMEORIGIN — deprecated in favor of CSP frame-ancestors but widely supported. X-Content-Type-Options: nosniff — prevents MIME type sniffing on IE/Edge. Referrer-Policy: strict-origin-when-cross-origin — limits referrer to origin only for cross-origin requests.
How should I use the result?
Treat the tool's output as a first-pass check, not a proof of correctness. A clean pass means no issues in the patterns this tool recognizes; a failure points to a specific problem you can investigate in your source. The underlying spec is the authoritative source for edge cases.
Related tools