Why analyze your security HTTP headers?
Security HTTP headers form the first line of defense for your website on the browser side. Without CSP, without HSTS, without X-Frame-Options, you leave attackers attack angles that modern standards know how to close. A regular website security test detects these oversights before they turn into incidents.
Our analyzer fetches the HTTP headers returned by your server, compares them against OWASP and Mozilla recommendations, then computes a weighted score with a grade from A to F. You get a clear view of the gaps to fix in 30 seconds.
Three main use cases:
- Production rollout audit: validate the security headers configuration before going public
- Compliance tracking: prepare a PCI DSS, ISO 27001 or SOC 2 audit that requires these controls
- Incident response: verify that no critical HTTP header was removed after a server update
How to use the analyzer in 3 steps
Step 1: enter the URL to test
Enter the full URL to analyze, for example https://captaindns.com. The tool accepts public URLs over HTTPS or HTTP, and follows the first redirect if necessary.
Step 2: run the headers analysis
Click Analyze headers. The server performs a GET request to the URL, captures all the returned HTTP headers, then applies the scoring rules to the 10 monitored security headers.
Step 3: read the grade and recommendations
You get:
- The A to F grade and the score out of 100
- The header by header detail with present/absent status
- The recommended values for each missing header
- The educational tooltips explaining the role of each header
What are security HTTP headers?
An HTTP header is a metadata line sent by the server in addition to the page content. Security headers are a specific family of headers that drive the browser behavior to block or limit client-side attacks.
When your browser loads https://captaindns.com, the server first returns its HTTP headers before the HTML. These headers indicate, for example: 'Force HTTPS for one year' (HSTS), 'Only execute scripts from the same domain' (CSP), or 'Refuse to be displayed in an iframe' (X-Frame-Options).
Example of HTTP headers returned by a secure site:
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-security-policy: default-src 'self'; script-src 'self'
x-content-type-options: nosniff
x-frame-options: DENY
referrer-policy: strict-origin-when-cross-origin
permissions-policy: geolocation=(), microphone=()
Without these security headers, the browser applies much more permissive default behaviors inherited from the early days of the web.
The 10 analyzed headers and their role
The tool evaluates 10 HTTP headers, each with a weight reflecting its impact on the security posture.
| HTTP Header | Weight | Role | Example value |
|---|---|---|---|
| Strict-Transport-Security | 2.0 | Forces HTTPS and prevents sslstrip | max-age=31536000; includeSubDomains; preload |
| Content-Security-Policy | 2.0 | Blocks XSS and script injection | default-src 'self'; script-src 'self' |
| Content-Security-Policy-Report-Only | 0.5 | CSP in observation mode, without blocking | default-src 'self'; report-uri /csp-report |
| X-Frame-Options | 1.0 | Prevents clickjacking via iframe | DENY or SAMEORIGIN |
| X-Content-Type-Options | 1.0 | Blocks MIME sniffing | nosniff |
| Referrer-Policy | 1.0 | Limits URL leakage via Referer | strict-origin-when-cross-origin |
| Permissions-Policy | 1.0 | Restricts browser APIs (camera, mic, geolocation) | geolocation=(), microphone=() |
| Cross-Origin-Opener-Policy | 1.0 | Isolates the browsing context | same-origin |
| Cross-Origin-Embedder-Policy | 1.0 | Controls loaded cross-origin resources | require-corp |
| Cross-Origin-Resource-Policy | 1.0 | Defines who can load your resources | same-origin or same-site |
Maximum total: 11.5 points. The score is then scaled to 100 to produce the final grade.
How is your A to F grade calculated?
The calculation applies a simple and reproducible logic.
Step 1: raw score
Each header that is present and properly configured earns its full weight. A header that is present but misconfigured (e.g. HSTS with a max-age too short) earns a reduced weight. The maximum raw total is 11.5 points.
Step 2: scaling to 100
The raw score is scaled to 100 with a rule of three: score = (raw / 11.5) × 100.
Step 3: grade assignment
| Grade | Score out of 100 | Interpretation |
|---|---|---|
| A | >= 90 | Excellent posture, compliant with 2026 best practices |
| B | >= 75 | Good configuration, a few headers to complete |
| C | >= 60 | Partial configuration, critical headers missing |
| D | >= 40 | Weak posture, several security headers absent |
| F | < 40 | No significant protection, urgent action recommended |
Key takeaway: HSTS and CSP together account for 4 points out of 11.5, more than a third of the score. Their absence mechanically drops the grade by at least two notches.
Concrete use cases
Incident 1: site graded F after redesign
Symptom: after migrating to a new framework, the site gets an F when it had a B before the redesign.
Diagnosis: the analyzer reveals the absence of CSP, HSTS and X-Frame-Options. The headers were added by the old Nginx server, removed when switching to a managed hosting that does not include them by default.
Action: add the security headers in the new framework configuration (next.config.js, Express middleware, etc.) then run the analysis again to confirm the return to grade B or A.
Incident 2: compliance audit blocked
Symptom: the auditor reports the absence of security headers as a major finding, blocking PCI DSS certification.
Diagnosis: the website security test confirms HSTS missing, CSP missing, Referrer-Policy not defined. The Apache server serves the default config without additions.
Action: configure the Header set directives in the Apache vhost, deploy in staging, run the analyzer to verify the grade, then push to production. Run the test again to provide the compliant report to the auditor.
Incident 3: clickjacking detected in bug bounty
Symptom: a security researcher reports via bug bounty that they can frame the client dashboard in a malicious iframe.
Diagnosis: the analyzer shows X-Frame-Options absent and CSP without the frame-ancestors directive. The browser therefore allows embedding by default.
Action: add X-Frame-Options: DENY and frame-ancestors 'none' in the CSP. Run the analysis again to confirm the closure of the flaw and close the bug bounty ticket.
FAQ - Frequently asked questions
Q: What is an HTTP headers analyzer?
A: An HTTP headers analyzer is a tool that inspects the headers returned by a web server during a request. It checks the presence and configuration of security headers like CSP, HSTS or X-Frame-Options. Our analyzer fetches these HTTP headers, evaluates their compliance with OWASP best practices, and assigns a grade from A to F. It is the foundation of a complete and fast website security test.
Q: Which security headers are essential in 2026?
A: The critical headers in 2026 are Content-Security-Policy (CSP) to block unauthorized scripts, Strict-Transport-Security (HSTS) to enforce HTTPS, X-Content-Type-Options to prevent MIME sniffing, X-Frame-Options or frame-ancestors CSP against clickjacking, and Referrer-Policy to limit URL leakage. Permissions-Policy and Cross-Origin-Opener-Policy round out a modern posture. Without these HTTP headers, your site remains exposed to known attacks.
Q: What is the difference between CSP and HSTS?
A: CSP (Content-Security-Policy) controls the allowed sources for loading scripts, styles, images or iframes. It protects against XSS and content injection. HSTS (Strict-Transport-Security) forces the browser to access the site only over HTTPS, preventing downgrade attacks. CSP acts at the page content level, HSTS at the transport level. Both HTTP headers are complementary and essential for a high security score.
Q: How do I add security headers to my site?
A: It depends on your stack:
- Nginx:
add_headerdirectives in the server block - Apache:
Header setin .htaccess or the vhost config - Cloudflare: Transform Rules or Workers
- Next.js:
headers()in next.config.js - Express:
helmetmiddleware - Laravel: dedicated middleware
After deployment, run the analysis again to confirm the HTTP headers are properly returned.
Q: Are missing security headers a vulnerability?
A: Missing headers are not a direct vulnerability, but they remove layers of defense. Without CSP, an XSS flaw becomes fully exploitable. Without HSTS, the user remains vulnerable to sslstrip on a hostile network. Without X-Frame-Options, your site can be framed for clickjacking. PCI DSS, ISO 27001 and SOC 2 auditors consider these HTTP headers as expected security controls.
Q: Is this website security test tool free?
A: Yes, our HTTP headers analyzer is entirely free, with no registration or usage limit. Run as many website security tests as you need, on any public URL. The results include the A to F grade, the detail of each analyzed header and configuration recommendations. No data is retained beyond the time required to compute the score.
Complementary tools
| Tool | Purpose |
|---|---|
| Complete on-page audit | Analyze the HTML, SEO tags and resources of a page |
| HSTS test | Check the Strict-Transport-Security header and preload list eligibility |
| Redirect analysis | Follow the HTTP redirect chain and detect loops |
| Phishing detection | Check if a URL is flagged as phishing |
| DNSSEC validation | Confirm the cryptographic signature of your DNS zone |
| MTA-STS compliance | Check the MTA-STS policy published for your domain |
| Uptime monitoring | Monitor the availability of your HTTP endpoints across regions |
Useful resources
- MDN - HTTP security headers (full Mozilla reference)
- OWASP Secure Headers Project (OWASP recommendations)
- RFC 6797 - HTTP Strict Transport Security (HSTS specification)
- MDN - X-Frame-Options (X-Frame-Options documentation)
- Content-Security-Policy Reference (CSP reference with examples)