Comprehensive Security Analysis
Deep inspection of your security headers and CSP implementation with actionable recommendations.
CSP Analysis
Deep analysis of Content Security Policy directives, identifying gaps and security risks in your implementation.
- → Directive validation
- → Policy optimization
- → Threat detection
- → Security recommendations
- → Priority-based reporting
Security Headers
Comprehensive check of all security-related HTTP headers with best practice recommendations.
- → Header presence check
- → Value validation
- → Best practice comparison
- → Fix recommendations
- → Server-specific guides
Risk Assessment
Intelligent risk scoring based on your security posture with prioritized improvement suggestions.
- → Risk scoring
- → Vulnerability detection
- → Threat detection
- → Security recommendations
- → Priority-based reporting
Advanced Analysis Features
Real-time Scanning
Instant analysis of your security headers and CSP implementation with live feedback and recommendations.
Comprehensive Reports
Detailed security reports with actionable insights and specific recommendations for improvement.
Best Practice Guidelines
Industry-standard recommendations based on OWASP guidelines and security best practices.
Technical Capabilities
Policy Validation
Deep analysis of CSP directives, identifying potential security gaps and optimization opportunities.
Violation Detection
Automatic detection and reporting of CSP violations with detailed context and remediation steps.
SSL/TLS Verification
Comprehensive SSL certificate validation and configuration analysis for secure connections.
Security Headers We Analyze
Content Security
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
Transport Security
- Strict-Transport-Security
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
Privacy & Access Control
- X-XSS-Protection
- Referrer-Policy
- Permissions-Policy
Frequently Asked Questions
What is Content Security Policy (CSP)?
Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. It works by specifying which sources of content are allowed to be loaded on your website, giving you fine-grained control over scripts, styles, images, and other resources.
Why do I need security headers?
Security headers are HTTP response headers that add extra layers of protection to your website. They help prevent common attacks like XSS, clickjacking, and man-in-the-middle attacks. Without proper security headers, your website and users are vulnerable to various exploits that could compromise sensitive data.
What does 'unsafe-inline' mean in CSP?
The 'unsafe-inline' directive allows inline JavaScript and CSS to execute on your page. While convenient, it significantly weakens your CSP protection because attackers can inject malicious inline scripts. We recommend using nonces or hashes instead to allow specific inline code safely.
How do I fix a low security score?
To improve your security score: 1) Implement a Content Security Policy header, 2) Add HSTS (Strict-Transport-Security) for HTTPS enforcement, 3) Remove 'unsafe-inline' and 'unsafe-eval' from your CSP, 4) Add X-Frame-Options to prevent clickjacking, and 5) Include X-Content-Type-Options to prevent MIME sniffing attacks.
Is HeaderTest free to use?
Yes, HeaderTest is completely free to use. You can scan unlimited websites without registration or any cost. We believe web security should be accessible to everyone, from individual developers to large enterprises.
What is the difference between CSP and CORS?
Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS) serve different purposes. CSP controls which resources your page can load, protecting against XSS and data injection attacks. CORS controls which external origins can access your API or resources, protecting your server from unauthorized cross-origin requests. Both are important: CSP protects your users, while CORS protects your server. A strong security posture requires both headers configured correctly.
How often should I scan my security headers?
We recommend scanning your security headers after every deployment and at least once a month as a routine check. Configuration changes, framework updates, or CDN modifications can inadvertently remove or weaken security headers. Regular scanning ensures you catch regressions early before they become exploitable vulnerabilities.
What is strict-dynamic in CSP and should I use it?
The 'strict-dynamic' CSP directive allows scripts loaded by already-trusted scripts to execute, without needing to explicitly whitelist each one. When combined with nonces or hashes, it simplifies CSP management for applications that dynamically load scripts. It is recommended for modern web applications because it reduces the need for broad domain whitelists while maintaining strong XSS protection. However, it requires nonce-based or hash-based CSP to work correctly.
Ready to Secure Your Web Application?
Start scanning your website now and get instant insights into your security posture.