Does this fetch my URL or test TLS?

No. It validates pasted response headers in your browser. Use curl, DevTools, security scanners, and TLS tools to collect evidence first.

Should I always enable HSTS preload?

No. Preload is powerful but risky if any subdomain cannot serve HTTPS. Confirm the whole domain is ready before adding preload or submitting to preload lists.

Is X-Frame-Options enough?

It is useful legacy coverage, but CSP frame-ancestors is more flexible and should be reviewed for modern clickjacking protection.

Can I paste Vercel or Cloudflare headers?

Yes. Paste final response headers from previews, production, CDN logs, or curl output to compare edge behavior before and after deploys.

web validator

Security Headers SEO Validator & Public Site Hardening Checker

Validate public-site HTTP security headers for HTTPS trust, response hardening, framing protection, referrer leakage, browser permissions, and launch-readiness QA.

Results

Paste input and validate locally.

Status: Ready when you validate.
Details: Ready when you validate.
Issues: Ready when you validate.
Headers present: Ready when you validate.

How to use this validator

Capture headers from the exact URL you plan to launch or merge, including the final redirected HTTPS URL.
Paste the response headers into the validator and run the check.
Fix missing or weak HSTS, nosniff, frame protection, referrer policy, permissions policy, and CSP/header pairing issues in your app, CDN, or reverse proxy.
Re-test homepage, high-traffic SEO pages, app shell routes, API responses, and preview URLs because edge rules often differ by path.
Pair this with CSP, CORS, compression, performance budget, manifest, favicon, Open Graph, JSON-LD, canonical, sitemap, and robots validation before launch.

Rules & checks

Requires Strict-Transport-Security with max-age for HTTPS trust; includeSubDomains and preload are recommended when the whole domain is ready.

Requires X-Content-Type-Options: nosniff to reduce MIME-sniffing surprises for scripts, styles, downloads, and assets.

Checks X-Frame-Options for DENY or SAMEORIGIN and encourages CSP frame-ancestors for modern clickjacking protection.

Checks Referrer-Policy against recognized values so outbound links do not leak more URL context than intended.

Checks Permissions-Policy for basic structure when present, especially camera, microphone, geolocation, payment, fullscreen, and browsing-topics controls.

Runs fully client-side; it does not fetch URLs, inspect TLS certificates, follow redirects, or verify CDN/header inheritance.

Inputs explained

HTTP response headers from production or preview
Paste raw response headers, one per line, from `curl -I`, browser DevTools, Vercel preview responses, CDN logs, or a scanner. Avoid cookies, tokens, Authorization values, and private session headers.

When to use it

Run a public-site launch checklist for marketing pages, validator pages, app shells, docs, pricing, checkout, and login routes.
Compare Vercel preview and production headers before merging framework, middleware, CDN, or reverse-proxy changes.
Check trust/security posture after adding analytics, embeds, iframes, third-party scripts, auth, payments, or file downloads.
Turn `curl -I` output into a client-readable hardening review without uploading response headers to another service.
Pair security header QA with CSP, CORS, compression, performance budget, manifest, favicon, Open Graph, JSON-LD, canonical, sitemap, and robots validation.

Common errors

Forgetting HSTS on the final HTTPS host after a www/apex redirect or CDN migration.
Setting HSTS preload before subdomains, staging hosts, or legacy services are ready for forced HTTPS.
Missing nosniff, which can create MIME-type risk for scripts, styles, downloads, and uploaded assets.
Using ALLOWALL or omitting frame protections on checkout, login, admin, validator, or lead-capture pages.
Leaking full URLs with an overly permissive Referrer-Policy when pages contain campaign, lead, account, or private query parameters.
Assuming security headers are global when CDN rules, middleware, route handlers, static assets, and API responses may differ.

Limitations

Header syntax and presence checks only; this does not fetch a URL, verify TLS certificates, scan redirects, or prove real browser enforcement.
Does not replace CSP audits, dependency security reviews, penetration testing, cookie flag checks, auth review, or vulnerability scanning.
Permissions-Policy is checked structurally, not semantically; confirm the exact directives against current browser support.
HSTS preload has operational risk. Verify all subdomains and long-term HTTPS readiness before submitting a domain to preload lists.

Tips

Capture the final redirected HTTPS URL, not just the first URL you typed; redirects often have different headers than destination pages.
Add HSTS carefully: start with an appropriate max-age, confirm every subdomain supports HTTPS, then consider includeSubDomains and preload.
Use X-Frame-Options for legacy coverage and CSP frame-ancestors when you need modern, granular embedding control.
Keep Referrer-Policy conservative for public SEO pages with query parameters; strict-origin-when-cross-origin is a practical default.
Test through the CDN/edge layer because framework headers can be overwritten or omitted by static hosting, redirects, image routes, and API routes.

Examples

Launch-ready public page

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Passes the core response-hardening checks.

Missing HSTS on HTTPS route

A page has X-Content-Type-Options and Referrer-Policy but no Strict-Transport-Security header.
The validator flags HSTS so the deploy team can add it at Vercel, Cloudflare, Nginx, Netlify, or the app framework layer.

Weak frame protection

X-Frame-Options: ALLOWALL
Flags the value and reminds you to use DENY/SAMEORIGIN or CSP frame-ancestors depending on embedding requirements.

Deep dive

Security headers support the trust layer around public SEO pages: browsers, crawlers, users, and partners expect HTTPS response hardening on serious production sites.

Use this validator after performance-budget QA to catch launch blockers that do not show up in title tags, schema, Open Graph previews, or Core Web Vitals runs.

The workflow is intentionally local and evidence-based: paste headers from curl, DevTools, Vercel, Cloudflare, Nginx, or a scanner and get a focused hardening checklist without uploading private responses.

FAQs

Does this fetch my URL or test TLS?: No. It validates pasted response headers in your browser. Use curl, DevTools, security scanners, and TLS tools to collect evidence first.
Should I always enable HSTS preload?: No. Preload is powerful but risky if any subdomain cannot serve HTTPS. Confirm the whole domain is ready before adding preload or submitting to preload lists.
Is X-Frame-Options enough?: It is useful legacy coverage, but CSP frame-ancestors is more flexible and should be reviewed for modern clickjacking protection.
Can I paste Vercel or Cloudflare headers?: Yes. Paste final response headers from previews, production, CDN logs, or curl output to compare edge behavior before and after deploys.

Related validators

web

CSP SEO Validator & Content Security Policy Hardening Checker

Validate Content-Security-Policy headers for public-site hardening, unsafe directives, script/style sources, frame ancestors, reporting endpoints, and launch-readiness QA.

web

CORS SEO Validator — API Origin Trust Checker

Validate Access-Control-Allow-* response headers for public API, app, CDN, and browser trust QA before frontend launches ship.

web

HTTP Compression Validator

Check HTTP response headers for gzip/br compression, numeric lengths, and basic ratios—client-side only.

web

Performance Budget SEO Validator & Core Web Vitals Risk Checker

Validate launch-readiness performance budgets locally for page weight, JavaScript, CSS, image bytes, request counts, and Core Web Vitals risk signals.

web

Web App Manifest SEO Validator & PWA Install QA

Validate manifest.json locally for PWA installability, mobile install metadata, app names, start_url, display mode, theme colors, and icon entries before launch.

web

Favicon SEO Validator & Brand Icon Checker

Check favicon, apple-touch-icon, Safari mask-icon, and public brand icon declarations locally so browser tabs, bookmarks, mobile home screens, search snippets, and pinned tabs use the right assets.

web

Open Graph & Twitter Card SEO Validator

Validate rendered Open Graph and Twitter/X card tags for search-result snippets, social previews, share-card images, absolute URLs, and launch QA before publishing.

web

JSON-LD SEO Validator & Rich Result Schema Checker

Validate rendered JSON-LD structured data for schema.org syntax, rich-result readiness, visible-content alignment, and crawlable schema blocks before publishing.

web

Canonical & hreflang Validator

Validate canonical URLs, hreflang alternates, x-default fallbacks, absolute target URLs, and duplicate-content signals before search engines cluster or localize pages incorrectly.

Security header validation runs entirely in your browser. Pasted headers, private preview hostnames, routing clues, and policy values are not uploaded, logged, stored, fetched, or shared.

Header syntax and presence checks only; does not prove TLS security, browser enforcement, vulnerability status, or production-wide header coverage.