HTTP Security Headers Checker
Paste raw response headers or curl -I output to review common security headers locally, including CSP, HSTS, and COOP.
Paste mode only. Header analysis runs locally, so private staging and localhost responses stay on your device.
Paste raw response headers or curl -I output. If redirects are included, the last response block is scored.
Frequently Asked Questions
Can I paste localhost or staging headers?
Yes. This tool is built for paste mode, so you can review headers from localhost, internal staging, or any private environment without exposing the URL.
Why not fetch the URL directly?
Fetching a URL would fail for many private environments and could leak internal endpoints. Paste mode keeps the workflow private and works anywhere curl or browser devtools can copy headers.
Does a high score guarantee security?
No. The checker highlights common response headers and common misconfigurations, but it is not a full application security audit.