All tools
/ audit · 03

Security

Analysis of HTTP response headers: security, information disclosure, cache, detected technologies.

Scan

// Enter a URL to fetch its HTTP headers.

Checks

  • HSTS — max-age, preload, subdomains
  • CSP — Content Security Policy, unsafe-inline/eval detection
  • X-Frame-Options — clickjacking protection
  • X-Content-Type-Options — anti MIME sniffing
  • Referrer-Policy — Referer policy
  • Permissions-Policy — browser API restrictions
  • COOP / COEP / CORP — cross-origin isolation
  • Set-Cookie — Secure, HttpOnly, SameSite flags
  • disclosure — Server, X-Powered-By, X-AspNet-Version
  • deprecated — X-XSS-Protection, HPKP, Expect-CT, Feature-Policy
  • TLS — version, cipher, signature, expiry, chain
  • HTTPS / HSTS preload — HTTP→HTTPS redirect, HSTS preload eligibility
  • CSP detail — directives, unsafe sources, nonce/hash/strict-dynamic
  • Mixed content — HTTP resources on HTTPS page
  • SRI — integrity on cross-origin scripts/styles
  • iframes / target=_blank / forms — iframe sandbox, target=_blank, HTTPS forms
  • Sensitive endpoints — /.env, /.git, /server-status, backups
  • .well-known — security.txt, change-password
  • CORS · OPTIONS — third-party Origin, allowed methods
  • Recommendations — prioritized by impact