Encrypt Online
Theme
Privacy Tool inputs are processed in your browser and are not sent to us.

Security Headers Inspector

Paste response headers and review browser-policy evidence without scanning a live URL

Paste headers, not a URL: This tool reads one copied response-header capture in your browser. It does not contact the site, store the capture, or treat a header snapshot as proof that a deployment is secure.
Inspect a response-header captureSeparate redirects, preserve repeated fields, and review each browser policy in context
Samples use reserved example domains.
HSTS and secure-context behavior depend on how the response was received.
Maximum input: 512 KiB, 4,096 lines, 16 response blocks, and 512 fields. Cookie names and values are excluded from results and copied summaries.
Browser Security Headers This Tool Inspects

The inspector separates enforced and report-only Content Security Policy, HSTS, nosniff, Referrer-Policy, Permissions-Policy, framing controls, COOP, COEP, CORP, and selected Set-Cookie attributes. It reports syntax and interaction evidence; it does not run a policy in a browser.

Missing Does Not Always Mean Vulnerable

HSTS only has meaning when received over a valid secure connection. CSP, framing, COOP, and COEP usually matter most on documents or worker environments. CORP, MIME types, CORS, and request destination affect how fetched resources are used. Choose the known response context and treat Context needed as a prompt to inspect the real request and deployment—not as a pass or failure.

Repeated Headers Do Not Share One Universal Rule

Multiple enforced CSP policies all apply, but HSTS processing uses the first field. Referrer-Policy uses the last recognized policy in list order. Set-Cookie fields stay separate, and duplicate singleton fields such as COOP or COEP can make the value fail to parse. The inspector keeps the original occurrences separate instead of joining every field with a comma.

Capture the Actual Response Before Comparing Policies

In browser DevTools, select the request and copy its response headers. From a terminal, capture each response header block from a GET request against a test or public URL you are authorized to inspect:

curl -sS -L -D - -o /dev/null https://www.example.test/

Keep redirect blocks in the paste. The response selector lets you inspect each block without blending an edge redirect, proxy response, and final origin policy. Plain curl -I output is also accepted, but it represents a HEAD request and needs -L when you want curl to follow redirects.

Security Headers Inspector FAQ
Does this scan a website or make network requests?

No. Paste a copied header block. Parsing and inspection stay in this browser, and the page does not fetch the hostname or any URL found in the input.

Why is there no security grade?

A grade would hide deployment context. Effective behavior can depend on the response URL, resource type, redirect chain, browser, iframe policy, cached HSTS state, cookies, and the content that the page actually loads.

Are cookie names or values included in copied output?

No. The parser exposes only attribute presence and review notes for Set-Cookie fields. Cookie names and values are excluded from the result object, rendered inventory, and copyable summary.