All tools

Security Headers Auditor and CSP Checker

Check a public URL for CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, CORS, and cross-origin isolation headers.

security headerscsphstsx-frame-optionsreferrer-policypermissions-policycorsheadersseollm

Privacy note: this tool uses a server request for public network checks; do not enter private URLs. How privacy works

Public URL

Audits public HTTP response headers only. Private, local, and reserved hosts are blocked before the server request is made.

Security audit

Audit grade, findings, and recommended headers will appear here.

Security Headers Auditor use cases

  • Audit a production or staging public URL before launch.
  • Check whether a site has a baseline CSP, HSTS, clickjacking, and MIME-sniffing posture.
  • Create a copyable remediation report for developers or clients.
  • Compare security header changes after a framework, CDN, or proxy update.

How Security Headers Auditor works

  • The API fetches the public URL and follows safe public redirects.
  • Private, local, reserved, and credentialed URLs are blocked before the request.
  • Response headers are graded against a practical hardening checklist.
  • The report explains missing, weak, deprecated, or overly broad headers.

Security Headers Auditor mistakes to avoid

  • A report-only CSP does not enforce browser restrictions.
  • HSTS without includeSubDomains may leave subdomains outside the policy.
  • X-Frame-Options does not replace a well-scoped CSP frame-ancestors directive.
  • CORS wildcard policies are often too broad for credentialed endpoints.

Security Headers Auditor platform fix examples

Nginx baseline security headers

Add headers at the server or location level, then re-run the auditor against the public URL.

Example

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;

Caddy header block

Use a site-level header block for a simple static or reverse-proxied app.

Example

header {
  Strict-Transport-Security "max-age=31536000; includeSubDomains"
  X-Content-Type-Options "nosniff"
  Referrer-Policy "strict-origin-when-cross-origin"
  Permissions-Policy "camera=(), microphone=(), geolocation=()"
  Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"
}

Express with Helmet

Helmet gives Express apps a maintained starting point; tune CSP directives for your assets and integrations.

Example

import helmet from "helmet";

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        objectSrc: ["'none'"],
        baseUri: ["'self'"],
        frameAncestors: ["'none'"],
      },
    },
    hsts: { maxAge: 31536000, includeSubDomains: true },
    referrerPolicy: { policy: "strict-origin-when-cross-origin" },
  }),
);

Spring Security headers

Use Spring Security header writers, then add an app-specific CSP that matches your frontend.

Example

http.headers((headers) -> headers
  .httpStrictTransportSecurity((hsts) -> hsts
    .includeSubDomains(true)
    .maxAgeInSeconds(31536000))
  .contentTypeOptions(Customizer.withDefaults())
  .referrerPolicy((policy) -> policy
    .policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN))
  .contentSecurityPolicy((csp) -> csp
    .policyDirectives("default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'")));

Go net/http middleware

Set headers before calling the next handler so every response path gets the same baseline.

Example

func securityHeaders(next http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
    w.Header().Set("X-Content-Type-Options", "nosniff")
    w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
    w.Header().Set("Permissions-Policy", "camera=(), microphone=(), geolocation=()")
    w.Header().Set("Content-Security-Policy", "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'")
    next.ServeHTTP(w, r)
  })
}

Security Headers Auditor privacy and processing

Public URLs onlyPrivate hosts blockedNo account

This is a server-assisted public URL check. LocalTools sends only the public URL to its API, blocks private and reserved hosts, and reads response headers from the public site.

How LocalTools handles local and server-assisted tools

Security Headers Auditor related workflows

Security Headers Auditor FAQ

Does the Security Headers Auditor upload private data?

No page content, credentials, tokens, or files are uploaded. The server-assisted audit receives only the public URL entered and fetches its public response headers.

Can this replace a penetration test?

No. It checks HTTP response header posture only. Use it as a fast hardening checklist alongside application testing, TLS checks, dependency review, and manual security review.

Why can a site with headers still receive warnings?

Some headers are present but weak, overly broad, deprecated, report-only, or missing important directives such as CSP frame-ancestors, object-src, base-uri, or HSTS includeSubDomains.

Related Security Headers Auditor tools

View category