Security Headers Inspector
Paste response headers and review browser-policy evidence without scanning a live URL
The inspector separates enforced and report-only Content Security Policy, HSTS, nosniff, Referrer-Policy, Permissions-Policy, framing controls, COOP, COEP, CORP, and selected Set-Cookie attributes. It reports syntax and interaction evidence; it does not run a policy in a browser.
HSTS only has meaning when received over a valid secure connection. CSP, framing, COOP, and COEP usually matter most on documents or worker environments. CORP, MIME types, CORS, and request destination affect how fetched resources are used. Choose the known response context and treat Context needed as a prompt to inspect the real request and deployment—not as a pass or failure.
Multiple enforced CSP policies all apply, but HSTS processing uses the first field. Referrer-Policy uses the last recognized policy in list order. Set-Cookie fields stay separate, and duplicate singleton fields such as COOP or COEP can make the value fail to parse. The inspector keeps the original occurrences separate instead of joining every field with a comma.
In browser DevTools, select the request and copy its response headers. From a terminal, capture each response header block from a GET request against a test or public URL you are authorized to inspect:
curl -sS -L -D - -o /dev/null https://www.example.test/ Keep redirect blocks in the paste. The response selector lets you inspect each block without blending an edge redirect, proxy response, and final origin policy. Plain curl -I output is also accepted, but it represents a HEAD request and needs -L when you want curl to follow redirects.
Does this scan a website or make network requests?
No. Paste a copied header block. Parsing and inspection stay in this browser, and the page does not fetch the hostname or any URL found in the input.
Why is there no security grade?
A grade would hide deployment context. Effective behavior can depend on the response URL, resource type, redirect chain, browser, iframe policy, cached HSTS state, cookies, and the content that the page actually loads.
Are cookie names or values included in copied output?
No. The parser exposes only attribute presence and review notes for Set-Cookie fields. Cookie names and values are excluded from the result object, rendered inventory, and copyable summary.