HTTP Security Headers Analyzer
Paste a raw HTTP response header block to grade your security headers offline. You get a score, a letter grade, and per-header findings with severity and concrete fixes you can copy into your server config.
How to analyze security headers
- Grab the response headers with your browser dev tools or `curl -I https://example.com`.
- Paste the raw header block into the box (the HTTP status line is fine to include).
- Read the grade and work through each finding, applying the recommended header values.
Examples
A strong response
HTTP/2 200 strict-transport-security: max-age=63072000; includeSubDomains; preload content-security-policy: default-src 'self'; frame-ancestors 'none' x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin
Grade A+ (score 100). All core headers present and strong.
Frequently asked questions
Are my headers sent to a server?
No. Parsing, scoring and grading all happen locally in your browser. Nothing you paste is uploaded or logged, so it is safe to use on internal or production responses.
How does the grading work?
Every response starts at 100. Each missing or weak header subtracts points by severity (high 20, medium 10, low 5). The total maps to a letter grade from A+ down to F.
Which headers matter most?
Strict-Transport-Security and Content-Security-Policy carry the most weight, since they block protocol downgrades and cross-site scripting. X-Frame-Options and X-Content-Type-Options come next, followed by Referrer-Policy and Permissions-Policy.
Why is my CSP marked weak?
A policy that allows 'unsafe-inline' or 'unsafe-eval' largely defeats its own XSS protection. Replace them with nonces or hashes. For a deeper audit, use the CSP Analyzer tool.
Where do I get the raw headers?
Run curl -I against the URL, or open your browser dev tools, pick the document request on the Network tab, and copy the response headers.
Related tools
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.
CVSS Calculator
Calculate a CVSS v3.1 base score and severity from the eight base metrics. Build the vector string and see how each choice moves the score, in your browser.
Hash Identifier
Identify the likely hash algorithm of a string by its length, character set and prefix. Detects MD5, SHA, bcrypt and more. Runs in your browser.
JWT Decoder
Decode a JSON Web Token to read its header and payload claims. Shows exp, iat and nbf as dates. Runs in your browser. No signature check.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
HMAC Generator
Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384 or SHA-512. Verify webhook and API signatures, with hex or base64 output.