wiredepth
Run a check

Free tool · HTTP headers

Security headers checker

Audit HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the cross-origin isolation headers in one go. No signup.

What this tool checks

We fetch the homepage of the domain over HTTPS and parse every response header relevant to browser-side security. The classic three (HSTS, CSP, X-Frame-Options) plus the modern set (X-Content-Type-Options, Referrer-Policy, Permissions-Policy) and the cross-origin isolation triplet (Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Resource-Policy).

For each header we surface what's set, score the value (presence is half - the actual directive matters more), and flag the common foot-guns - unsafe-inline in CSP, a too-short HSTS max-age, Referrer-Policy: no-referrer-when-downgrade (the browser default, not a chosen posture), etc.

We also follow up to 3 redirects so you score the actual served origin rather than a redirector. Many sites have tightly-locked headers on the redirector and lax headers on the destination - we want the destination's posture.

How to read the results

HSTS without preload protects subsequent visits but not the first. Submitting to the HSTS Preload list (with includeSubDomains and max-age ≥ 31536000) protects first visits too.

CSP with unsafe-inline is functionally equivalent to no CSP for XSS prevention. If you can't kill inline scripts, switch to nonce-based CSP - it's the only backwards-compatible path to a real CSP posture.

X-Frame-Options vs CSP frame-ancestors: CSP frame-ancestors supersedes X-Frame-Options. Both is fine but the CSP version is what modern browsers use. Some receivers (older proxies, email clients) still respect X-Frame-Options exclusively, so shipping both is the belt-and-braces choice.

Frequently asked questions

Which headers actually matter?

HSTS, CSP, and X-Frame-Options / frame-ancestors are the high-impact ones. The cross-origin isolation triplet matters if you serve cross-origin content or want SharedArrayBuffer / high-resolution timers. The rest are smaller wins individually but cumulative.

Why does my CSP grade as weak even though I set one?

Most CSPs include unsafe-inline or unsafe-eval, which lets injected JS execute despite the policy. A 'real' CSP uses nonces or hashes for inline scripts, which requires server-side cooperation. We grade on whether the policy actually blocks XSS, not just presence.

Is X-XSS-Protection still useful?

No - all major browsers have removed support. We surface it if present (some legacy code still ships it) but score it neutral. The modern equivalent is a strong CSP.

What does Permissions-Policy do?

Selectively disables browser APIs (camera, microphone, geolocation, payment, etc.) at the document level. Useful for defense-in-depth: even if a script gets compromised, it cannot access the disabled APIs without a server-side change.

Why do I need cross-origin isolation headers?

Required if you want SharedArrayBuffer, high-precision performance.now(), or some WebAssembly features. Required by COOP+COEP. Most sites do not need them; the few that do (web-based IDEs, video editors, ML demos) know who they are.

Related free tools

TLS / SSL checker

Cert validity, chain, protocols, HSTS.

DNS health checker

DNSSEC, CAA, NS, MX, expiry, blacklists.

DMARC analyzer

Email auth posture and policy strength.

Domain reputation + threat intel

Malware feeds, IP abuse, blocklists.