Security Header Analyzer

Paste response headers to check common security header best practices.

Response Headers

Format: "Header-Name: value", one per line.

Findings

Permissions-Policy

WARN

Missing Permissions-Policy to limit powerful browser features.

X-Frame-Options

WARN

Protect against clickjacking with frame-ancestors (CSP) or X-Frame-Options: DENY/SAMEORIGIN.

Tip: set HSTS only after confirming HTTPS everywhere. Prefer CSP frame-ancestors over X-Frame-Options.