Missing Content-Security-Policy
Identifies absent or overly permissive CSP headers that allow XSS and data injection attacks.
ANALYSIS
Free account required
Security Headers
Inspect HTTP security headers and detect missing CSP, HSTS, and clickjacking protections.
Fetches response headers from any URL and grades each security header against OWASP recommendations. Identifies missing protections, weak policy values, and CSP bypasses. Generates a report suitable for bug bounty submissions.
What it detects
Missing Content-Security-Policy
HSTS Configuration
Clickjacking Protections
Information Disclosure
Detection capabilities
What Security Headers finds
HSTS Configuration
Checks for HTTP Strict Transport Security including max-age value, includeSubDomains, and preload status.
Clickjacking Protections
Validates X-Frame-Options and CSP frame-ancestors directives against UI redressing attacks.
Information Disclosure
Flags headers that reveal server technology (Server, X-Powered-By) useful for fingerprinting.
Step-by-step guide
How to use Security Headers
Enter target URL
The tool sends a real HTTP request and captures all response headers including redirects.
Review header grades
Each header gets a pass/warn/fail rating with the actual value and recommended configuration.
Export for report
Generate a formatted table suitable for inclusion in HackerOne or Bugcrowd bug reports.
Keep going
Related tools
RECONANALYSIS
URL Analysis
Find open redirects, SSRF indicators, and injection points in any URL.
Use tool →
EXPLOIT
Payload Forge
Generate context-aware XSS, SQLi, SSRF, and SSTI payloads for security testing.
Use tool →
RECON
URL Finder
Discover hidden endpoints, admin paths, and API routes from any web application.
Use tool →
RaSEC Platform
Run Security Headers as part of an overnight hunt.
All 8 tools in coordinated sequence
Deterministic reproduction
Copy-paste PoC reports
No credit cardCancel anytimeFree forever tier