HTTP Header Analyzer
Analyze security headers, CORS policies, caching, and performance configurations.
What It Analyzes
- Security Headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- CORS: Access-Control-Allow-Origin and related headers
- Caching: Cache-Control, ETag, Expires, Last-Modified
- Performance: Compression, Keep-Alive, CDN headers
- Server Info: Server software, powered-by headers (potential security risk)
Quick Start
- Go to Header Analyzer
- Enter URL to analyze
- View security score (A-F rating)
- Review missing/misconfigured headers
- Export report for devops team
Security Headers Explained
Critical Security Headers
| Header | Purpose | Example Value |
|---|---|---|
| Strict-Transport-Security | Force HTTPS | max-age=31536000; includeSubDomains |
| Content-Security-Policy | Prevent XSS | default-src 'self'; script-src 'self' cdn.example.com |
| X-Frame-Options | Prevent clickjacking | DENY or SAMEORIGIN |
| X-Content-Type-Options | Prevent MIME sniffing | nosniff |
| Permissions-Policy | Control browser features | geolocation=(), microphone=() |
Security Scores
- A (90-100): All critical headers present + properly configured
- B (80-89): Missing 1-2 non-critical headers
- C (70-79): Missing HSTS or CSP
- D (60-69): Multiple security headers missing
- F (< 60): No security headers — vulnerable to attacks
Common Issues & Fixes
1. Missing HSTS
Risk: Users can be downgraded to HTTP (MITM attacks)
Fix: Add to server config:
# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;2. No Content Security Policy
Risk: XSS attacks can inject malicious scripts
Fix (Basic):
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'⚠️ Remove 'unsafe-inline' in production. Use nonces or hashes instead.
3. Server Header Exposure
Risk: Reveals server software version (helps attackers)
Example: Server: Apache/2.4.41 (Ubuntu)
Fix: Hide or genericize:
# Apache
ServerTokens Prod
ServerSignature Off
# Nginx
server_tokens off;CORS Analysis
Checks for:
- Access-Control-Allow-Origin: * (too permissive — security risk)
- Missing preflight response headers
- Credential handling (Access-Control-Allow-Credentials)
- Exposed headers configuration
Caching Headers
Optimal caching improves performance. Analyzer checks:
- Cache-Control: public vs private, max-age values
- ETag: Validates cached resources
- Expires: HTTP/1.0 compatibility (legacy)
- Recommendations: Static assets (images, CSS, JS) should have long max-age (31536000 = 1 year)
Best Practices
- ✅ Enable HSTS with at least 1-year max-age
- ✅ Always set X-Content-Type-Options: nosniff
- ✅ Use CSP in report-only mode first, then enforce
- ✅ Set X-Frame-Options: DENY unless you need iframe embedding
- ✅ Remove server version info (reduces attack surface)
- ❌ Don't use 'unsafe-inline' or 'unsafe-eval' in CSP (defeats purpose)
- ❌ Don't set CORS to * on APIs with authentication
- ❌ Don't expose sensitive info in custom headers