HTTP Security Headers Analyzer
Analyze HTTP security headers for any public URL. Graded A+ to F.
Analyze HTTP security headers including CSP, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy. Identify missing protections, weak policies, and misconfigurations instantly.
About HTTP Security Headers
What are HTTP security headers?
HTTP security headers are server response directives that tell browsers how to handle a page’s content. Key headers include Content Security Policy (CSP) for XSS prevention, HTTP Strict Transport Security (HSTS) for HTTPS enforcement, X-Frame-Options for clickjacking protection, Referrer-Policy for data-sharing control, X-Content-Type-Options for MIME sniffing prevention, and Permissions-Policy for browser feature restrictions. Missing or misconfigured headers are a common, easily exploited attack surface.
What is Content Security Policy (CSP)?
CSP controls which scripts, styles, and resources a browser may load for a given page. A strict CSP blocks inline scripts and unauthorized external resources — the primary vector for cross-site scripting (XSS) attacks. A missing CSP, or one using unsafe-inline or wildcard sources (*), provides no meaningful XSS protection. ShieldScope grades CSP based on presence, directive structure, and known weak configurations.
What is HSTS and what does it protect against?
HTTP Strict Transport Security (HSTS) tells browsers to only connect to a site over HTTPS for a specified period (max-age). Without HSTS, an attacker on the network can intercept the initial HTTP connection before a redirect to HTTPS occurs — an SSL strip attack. A correctly configured HSTS header with a long max-age, includeSubDomains, and optionally preload closes this attack class entirely.
What does X-Frame-Options do?
X-Frame-Options prevents a page from being embedded in an <iframe> on another site. Without it, attackers can overlay invisible frames over a legitimate page to capture clicks or credentials — a clickjacking attack. The recommended value is DENY or SAMEORIGIN. Modern browsers also support CSP’s frame-ancestors directive as a more flexible alternative.
How does ShieldScope analyze security headers?
ShieldScope sends a passive HTTP request to the target domain and reads the response headers — no active probing, no content injection, no crawling beyond the initial response. Each security header is evaluated against current best-practice values and graded individually. The overall grade reflects coverage and policy strength across all checked headers. Submitted targets are not stored.