HTTP Header Checker: Audit and Score Security Headers

Security headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options protect your website and visitors from attacks. The problem: many websites either don’t set these headers or configure them poorly – and a header with a weak configuration is barely better than none at all.

This tool checks up to 15 URLs at once, scores each security header with a quality rating instead of a simple “present/missing” check, and uncovers information leaks where your server reveals sensitive details like the software it runs.

How the HTTP Header Checker Works

1. Enter URLs: Enter up to 15 URLs, one per line. The tool analyzes each URL individually and displays results sequentially.
2. Track progress: A progress bar shows the check status in real time.
3. Read the overall score: Each URL receives a security score from 0 to 100 points, composed of individual header ratings.
4. Analyze header details: For each header, you’ll see the received value, the score, the quality rating, and specific recommendations for improvement.
5. Check information leaks: A separate section shows headers that unintentionally reveal information – such as server software, programming language, or CMS version.

How Is the Score Calculated?

Unlike many tools, the Header Checker does not award points for mere presence. Instead, each header is rated based on its actual configuration:

• Content-Security-Policy (20 points): Deductions for unsafe-inline, unsafe-eval, wildcard sources, and missing directives. A wildcard CSP scores 0 points.
• Strict-Transport-Security (20 points): Scores based on max-age (at least 31,536,000 recommended), includeSubDomains, and preload.
• X-Content-Type-Options (15 points): Full score only with correct nosniff value.
• X-Frame-Options (15 points): Full score for DENY or SAMEORIGIN.
• Referrer-Policy (10 points): Rated by the privacy level of the chosen policy.
• Permissions-Policy (10 points): Checks whether sensitive browser APIs are restricted.
• COOP, COEP, CORP (5 points each): Modern isolation headers for enhanced protection.
• Information leaks (up to -10 points): Each disclosed header (Server, X-Powered-By, etc.) costs points.

Changelog

• Implemented quality-based scoring – instead of “header present = full score,” the actual configuration is now analyzed
• Integrated CSP linter: detects and penalizes unsafe-inline, unsafe-eval, wildcard sources, and missing directives
• HSTS scoring based on max-age, includeSubDomains, and preload status
• Added information leak detection: Server, X-Powered-By, X-AspNet-Version, X-Generator, X-Drupal-Cache, Via
• Added modern security headers COOP, COEP, and CORP to the scorecard
• Feature-Policy deprecation warning (advising migration to Permissions-Policy)

Background: Why HTTP Security Headers Are Essential

HTTP security headers are your website’s first line of defense against common attack types. They’re sent by the server as part of the HTTP response and instruct the browser to activate specific protection measures.

Key Threats

• Cross-Site Scripting (XSS): Attackers inject malicious JavaScript. The Content-Security-Policy prevents execution of unknown scripts.
• Clickjacking: Your page is invisibly embedded in an iframe, and users click on hidden elements. X-Frame-Options and CSP frame-ancestors protect against this.
• Man-in-the-Middle: Without HSTS, an attacker can downgrade the connection to HTTP. Strict-Transport-Security enforces HTTPS.
• Information leaks: Server headers that reveal software versions make it easier for attackers to target known vulnerabilities.

What Should You Do With the Results?

• Add missing headers: Most security headers can be set via your web server configuration (Apache: .htaccess, Nginx: nginx.conf) or through a WordPress security plugin.
• Improve weak configurations: If a header is present but scores low, check the specific recommendations. A CSP without script-src is barely more effective than no CSP at all.
• Eliminate information leaks: Remove headers like Server and X-Powered-By from the server response or replace the values with generic entries.
• Take a gradual approach: Start with HSTS and X-Content-Type-Options (simple and low-risk), before implementing a restrictive CSP (effective but can break your site if misconfigured).

Frequently Asked Questions

What is a good security score?

A score of 70+ indicates a solid security baseline. At 85+, your website is well protected. 100 points is possible but requires a very restrictive configuration that isn’t practical for every website.

Why do I get a low score despite having a CSP?

This tool evaluates the quality of your CSP, not just its presence. A CSP with unsafe-inline or wildcard sources (*) provides little protection and therefore receives few points. Remove unsafe directives and use nonce- or hash-based policies instead.

What does “information leak” mean?

Server headers like Server: Apache/2.4.54 or X-Powered-By: PHP/8.1 reveal the exact software version of your server to attackers. This allows them to specifically search for known vulnerabilities for that version.

Can I set headers through WordPress?

Yes. There are several ways: through security plugins (e.g., Headers Security Advanced), via the .htaccess file (Apache), or through server configuration. The easiest solution for WordPress users is a security plugin.

Why is X-XSS-Protection rated so low?

The X-XSS-Protection header is deprecated. Modern browsers no longer support it because the built-in XSS filter itself had security vulnerabilities. The Content-Security-Policy is the recommended successor.

What’s the difference between Feature-Policy and Permissions-Policy?

Feature-Policy is the deprecated predecessor of Permissions-Policy. Both control which browser APIs (camera, microphone, geolocation) a page may use. If the tool detects a Feature-Policy, it displays a notice to switch to the modern Permissions-Policy.