ToolsHeaders
webFast

Headers

HTTP Security Headers Analysis

"Checks every security header against best practices — CSP, HSTS, X-Frame-Options, and more."

▶ Scan with Headers
What it does

HTTP security headers are the browser's first line of defense against attacks like clickjacking, cross-site scripting, and protocol downgrade. They're also one of the most commonly misconfigured and overlooked security controls. A missing Content-Security-Policy header enables XSS. A missing X-Frame-Options header enables clickjacking. Missing HSTS allows attackers to force HTTP connections.

The headers tool fetches each target and grades every security header against OWASP and industry best practices. Missing headers, misconfigured values, and dangerous settings all become findings with clear severity ratings.

Example findings
HIGHContent-Security-Policy Missing — XSS Riskheaders
HIGHX-Frame-Options Missing — Clickjacking Possibleheaders
MEDIUMStrict-Transport-Security Missing — HTTP Downgrade Riskheaders
LOWX-Powered-By: PHP/7.4.33 Leaking Versionheaders
What it finds
  • Missing Content-Security-Policy (CSP)
  • Missing or misconfigured Strict-Transport-Security (HSTS)
  • Missing X-Frame-Options (clickjacking protection)
  • Missing X-Content-Type-Options
  • Missing Referrer-Policy
  • Missing Permissions-Policy
  • Server header exposing software version
  • X-Powered-By header leaking technology stack
  • Overly permissive CORS headers