All The Validators logoAll The Validators

web validator

HTTP Security Headers Validator

Validate core security headers (HSTS, nosniff, frame options, referrer policy, permissions policy) entirely client-side.

Results

Processing…
Status
Processing...
Details
Processing...
Issues
Processing...
Headers present
Processing...

How to use this validator

  1. Paste the response headers.
  2. Run validate to check presence/values of security headers.
  3. If issues are flagged, add or correct the missing headers and re-run.

Rules & checks

Requires Strict-Transport-Security with max-age (optionally includeSubDomains/preload).

X-Content-Type-Options must be nosniff.

X-Frame-Options should be DENY or SAMEORIGIN.

Referrer-Policy should be a recognized value.

Permissions-Policy is checked for basic structure when present.

Inputs explained

  • HTTP response headers

    Paste raw headers from curl/DevTools (one per line). Keep sensitive info out; this runs locally.

When to use it

  • QA headers before launch
  • Check CDN/edge overrides
  • Security reviews for third-party pages

Common errors

  • HSTS missing or max-age not set
  • X-Content-Type-Options not set to nosniff
  • X-Frame-Options using ALLOWALL or missing
  • Referrer-Policy missing or unrecognized
  • Permissions-Policy malformed

Limitations

  • Header syntax checks only; does not measure actual transport security or TLS configuration.
  • Does not fetch URLs; paste captured headers instead.

Tips

  • Include HSTS with includeSubDomains and preload if applicable
  • Pair with CSP and compression checks for holistic coverage
  • Set Referrer-Policy to strict-origin-when-cross-origin or stricter for most sites

Examples

Valid set

  • Strict-Transport-Security: max-age=63072000; includeSubDomains
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • Referrer-Policy: strict-origin-when-cross-origin

Missing HSTS

  • No Strict-Transport-Security -> flagged

Bad XFO

  • X-Frame-Options: ALLOWALL -> flagged

Deep dive

This HTTP security headers validator checks HSTS, nosniff, frame options, referrer, and permissions policy values entirely in your browser.

Use it to QA headers from DevTools or curl before deploying or configuring CDN/edge overrides.

FAQs

Is this uploaded?
No. Validation runs client-side and clears on refresh.
Do you test HTTPS/TLS?
No. This checks header presence/values only.

Related validators

web

Content Security Policy Validator

Validate CSP headers client-side—check directives, missing values, and risky flags.

web

HTTP Compression Validator

Check HTTP response headers for gzip/br compression, numeric lengths, and basic ratios—client-side only.

All validation happens in your browser. No data is sent, logged, or stored.

Header syntax checks only; does not measure actual transport security or TLS configuration.