Free tool

Security Headers Explainer

Paste your site's response headers — get a plain-English breakdown of each one.

How it works

If you run a website, your HTTP response headers are one of the highest-leverage security controls available. Paste a recent response header dump (from `curl -I` or your browser's DevTools Network tab) and we'll explain what's there, what's missing, and what each header actually does.

Methodology

We parse `Header-Name: value` pairs case-insensitively and match them against a reference set: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the cross-origin trio (COOP, COEP, CORP).

Frequently asked questions

Where do I get my headers?

Run `curl -I https://yoursite.example` in a terminal, or open DevTools → Network → click any request → 'Headers' tab → 'Response Headers'.

Which header should I add first?

If you don't have HSTS yet, add it once you're confident HTTPS works on every subdomain. Then a strict Content-Security-Policy. Then the cross-origin policies.

Are these tested against my site?

No — this tool is an explainer for headers you paste in. It does not fetch external URLs.

Other free tools