What is Content-Security-Policy (CSP)?

Content-Security-Policy (CSP) is an HTTP header that restricts which scripts, styles, images, and iframes may load on a page. It is the primary defence against XSS attacks. A good CSP uses directives like default-src 'self'; script-src 'self' and avoids 'unsafe-inline', which would allow arbitrary inline scripts and largely defeat the protection.

What does X-Frame-Options do?

X-Frame-Options prevents your web pages from being embedded in an iframe on another domain, blocking clickjacking attacks. DENY blocks all framing; SAMEORIGIN allows framing only from the same origin. Modern sites can also use the CSP frame-ancestors directive for more granular control.

How is the HTTP header security score calculated?

The score checks 8 critical security headers. CSP and HSTS carry 15 points each; X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, and CORP each carry 10 points. Bonus points are awarded for best-practice values like includeSubDomains on HSTS or a CSP without unsafe-inline. Scores map to grades: A+ (95+), A (85+), B (70+), C (50+), D (30+), F (below 30).

What is Referrer-Policy and why does it matter?

Referrer-Policy controls how much URL information is sent when users navigate to other sites. Without it, full URLs including paths and query strings are leaked to third parties. The recommended value strict-origin-when-cross-origin sends only the origin for cross-origin requests and nothing on HTTPS-to-HTTP downgrades.

HTTP Header Checker - Inspect Response Headers

Method:

Try an example:

Connecting to server…

Reading response headers…

Analyzing security posture…

Computing security score…

Enter a URL above and click Check Headers to analyze HTTP response headers.

Checks: CSP · HSTS · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy · COOP · CORP · Cookie Flags

About This HTTP Header Checker

What This Tool Checks

IndexCraft's HTTP Header Checker fetches and displays all HTTP response headers for any URL, then runs a full security audit across 8 critical headers:

Content-Security-Policy (CSP) — XSS protection via resource source whitelisting
Strict-Transport-Security (HSTS) — enforces HTTPS and prevents protocol downgrade attacks
X-Frame-Options — blocks clickjacking via iframe embedding restrictions
X-Content-Type-Options — prevents MIME-sniffing by enforcing declared Content-Type
Referrer-Policy — controls URL leakage to third-party sites
Permissions-Policy — restricts camera, microphone, and geolocation API access
Cross-Origin-Opener-Policy (COOP) — isolates browsing context from cross-origin openers
Cross-Origin-Resource-Policy (CORP) — prevents cross-origin loading of your resources
Cookie flags — audits Set-Cookie for Secure, HttpOnly, and SameSite attributes
Server info disclosure — flags Server, X-Powered-By headers that expose your tech stack

How the Security Score Works

CSP and HSTS carry 15 points each; the other six headers carry 10 points each (base total: 90 points). Bonus points (up to 5 per header) reward best-practice values — for example, HSTS with includeSubDomains or a CSP without unsafe-inline . Missing headers show specific recommended values to add.

What the Five Views Show

All Headers — filterable table with info tooltips and copy buttons
Security — pass/fail/warn cards with descriptions and fix recommendations
Raw — syntax-highlighted HTTP response header block
Compare — side-by-side colour-coded diff of two URLs
History — last 10 checks with grades for quick re-inspection

HTTP Security Headers – Quick Reference

Content-Security-Policy

CSP restricts which scripts, styles, images, and iframes may load — the primary XSS defence. A minimal starting policy is default-src 'self' . Avoid 'unsafe-inline' in script-src as it permits arbitrary inline JavaScript and largely defeats CSP's protection against script injection.

Strict-Transport-Security

HSTS forces browsers to always use HTTPS for the max-age duration (seconds). The recommended value is max-age=31536000; includeSubDomains; preload — one year, all subdomains, and eligible for browser preload lists so protection applies even on a user's first-ever visit to the domain.

Referrer-Policy & Permissions-Policy

strict-origin-when-cross-origin sends the full URL only for same-origin requests and just the origin for cross-origin, preventing path and query-string leakage. Permissions-Policy should explicitly deny APIs not in use: camera=(), microphone=(), geolocation=() to limit browser API exposure in embedded content.

COOP, CORP & Cookie Flags

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages accessing your window via window.opener . Cross-Origin-Resource-Policy: same-origin blocks other origins loading your assets, mitigating Spectre attacks. For session cookies always set: Secure (HTTPS only), HttpOnly (no JS access), SameSite=Strict (no cross-site transmission).

HTTP Header Checker – Frequently Asked Questions

HTTP response headers are key-value metadata strings sent by a web server alongside every HTTP response. They tell the browser the content type, caching rules, compression method, and security restrictions like which scripts may run (CSP) and whether HTTPS is mandatory (HSTS). They are invisible to end users but fundamental to web security and performance.

Content-Security-Policy restricts which scripts, styles, images, fonts, and iframes may load on a page. It is the primary defence against XSS attacks. A good policy uses directives like


         default-src 'self'; script-src 'self'

and avoids


         'unsafe-inline'

, which permits arbitrary inline scripts and largely defeats CSP's XSS protection.

HSTS instructs browsers to always use HTTPS for your domain.


         max-age=31536000

enforces this for one year. Adding


         includeSubDomains

extends the protection to all subdomains. HSTS prevents protocol downgrade attacks and cookie hijacking over unencrypted HTTP connections.

X-Frame-Options prevents your pages from being embedded in an iframe on a different domain, blocking clickjacking attacks where attackers overlay invisible frames on legitimate pages to steal clicks. DENY blocks all framing; SAMEORIGIN allows same-origin frames only. The CSP


         frame-ancestors

directive offers more granular control in modern browsers.

The score evaluates 8 headers. CSP and HSTS carry 15 points each; the remaining six headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP) carry 10 points each. Bonus points reward best-practice values like


         includeSubDomains

on HSTS or a CSP without


         unsafe-inline

. Grades: A+ ≥ 95, A ≥ 85, B ≥ 70, C ≥ 50, D ≥ 30, F < 30.

Referrer-Policy controls how much URL information is sent when users navigate to other sites. Without it, full URLs including paths and query strings are leaked to third parties, potentially exposing sensitive data. The recommended value


         strict-origin-when-cross-origin

sends only the origin for cross-origin requests and nothing on HTTPS-to-HTTP downgrades.


         X-Content-Type-Options: nosniff

prevents browsers from guessing (MIME-sniffing) a response's content type. Without it, a browser might execute a file declared as


         text/plain

as JavaScript if it detects script content. This header forces the browser to honour the declared


         Content-Type

strictly, preventing content-injection attacks.