// tool · headers
Security Headers Analyzer — A+..F grade and per-stack fixes
Paste any site's response headers and get an A+..F grade, what each header does and the exact fix line for your server — Nginx, Apache, Node or Cloudflare.
Runs 100% in your browser · nothing is sent
0/100 ·
A snapshot of the grade computed right now — it doesn't auto-update. A dynamic badge would need a server; IntruderLabs never sends your headers anywhere.
Paste the headers above and the analysis shows up here — 100% in your browser.
For authorized testing, research and education only. The analysis runs 100% in your browser — no header is sent anywhere.
// reference
The security headers that matter
Security headers are instructions in the HTTP response that tell the browser how to behave — from blocking injected scripts to preventing the page from being embedded in an iframe. Below is what each header does, the recommended value and the Nginx tweak. Paste your headers into the tool above to get the grade and the fix snippet for the other stacks (Apache, Node and Cloudflare).
Content-Security-Policy
The Content-Security-Policy is the strongest defense against XSS: it declares which origins the browser may load script, style, frame and media from. A script-src with 'unsafe-inline' or * undoes much of that protection.
Recommended: default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always; Strict-Transport-Security
The Strict-Transport-Security (HSTS) header forces the browser to speak only HTTPS with the domain, shutting down downgrade and SSL-strip attacks. A short max-age weakens the window; includeSubDomains and preload widen coverage.
Recommended: max-age=63072000; includeSubDomains; preload
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; X-Frame-Options
The X-Frame-Options: DENY header stops the page from being embedded in an iframe, blocking clickjacking. The modern equivalent is CSP frame-ancestors 'none' — having either one covers the attack. ALLOW-FROM is deprecated.
Recommended: DENY
add_header X-Frame-Options "DENY" always; X-Content-Type-Options
The X-Content-Type-Options: nosniff header turns off browser MIME-sniffing, which can reinterpret a text upload as a script and trigger XSS. The only valid value is nosniff.
Recommended: nosniff
add_header X-Content-Type-Options "nosniff" always; Referrer-Policy
The Referrer-Policy header controls how much of the current URL leaks in the Referer header when navigating away. unsafe-url leaks the full path (including query-string tokens); strict-origin-when-cross-origin is the safe balance.
Recommended: strict-origin-when-cross-origin
add_header Referrer-Policy "strict-origin-when-cross-origin" always; Permissions-Policy
The Permissions-Policy (formerly Feature-Policy) turns off powerful browser APIs — geolocation, camera, microphone, payment — that your app does not use, shrinking the blast radius of an XSS or a malicious iframe. An empty allowlist () denies the feature to all origins.
Recommended: geolocation=(), camera=(), microphone=(), payment=(), usb=()
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=()" always; Cross-Origin-Opener-Policy
The Cross-Origin-Opener-Policy: same-origin header isolates your browsing context from windows of other origins (opened via window.open), blocking XS-Leaks and tabnabbing and enabling cross-origin isolation.
Recommended: same-origin
add_header Cross-Origin-Opener-Policy "same-origin" always; Cross-Origin-Resource-Policy
The Cross-Origin-Resource-Policy: same-origin header stops other sites from loading your resources (images, scripts, JSON) via tags, mitigating Spectre/XS-Leaks. Use same-site if subdomains need to consume the resource.
Recommended: same-origin
add_header Cross-Origin-Resource-Policy "same-origin" always; Cross-Origin-Embedder-Policy
The Cross-Origin-Embedder-Policy: require-corp header is optional: together with COOP it enables cross-origin isolation (needed for SharedArrayBuffer and high-precision timers). It can break third-party resources — adopt carefully. It only counts as a bonus here.
Recommended: require-corp
add_header Cross-Origin-Embedder-Policy "require-corp" always; Server
The Server header with a version (e.g. Apache/2.4.58) hands the attacker exactly which software and version you run — a shortcut to look up CVEs. Hide the version or drop the header.
Recommended: (sem versão / header omitido)
server_tokens off; # dentro do bloco http {} — esconde a versao do Nginx X-Powered-By
The X-Powered-By header (e.g. PHP/8.1.2, Express) reveals the app stack with no functional benefit. It is free fingerprinting for the attacker — remove it.
Recommended: (header removido)
proxy_hide_header X-Powered-By; # quando o Nginx faz proxy para a app X-AspNet-Version
The X-AspNet-Version header exposes the exact .NET runtime version. It has no production use and eases CVE mapping — turn it off in web.config.
Recommended: (header removido)
proxy_hide_header X-AspNet-Version; X-Generator / X-Runtime
Headers like X-Generator, X-Runtime and X-Drupal-Cache give away CMS, framework and internal response times. Each one is a hint for the attacker — strip the non-essential ones.
Recommended: (headers removidos)
more_clear_headers 'X-Generator' 'X-Runtime' 'X-Drupal-Cache'; # modulo headers-more Cookie · Secure
A cookie without the Secure attribute can travel over plain HTTP, exposed to interception. Every session cookie should carry Secure so it only goes over HTTPS.
Recommended: Secure
proxy_cookie_flags ~ secure httponly samesite=lax; Cookie · HttpOnly
Without HttpOnly, the cookie is readable by JavaScript — an XSS steals the session straight through document.cookie. Authentication cookies should be HttpOnly.
Recommended: HttpOnly
proxy_cookie_flags ~ secure httponly samesite=lax; Cookie · SameSite
The SameSite attribute controls whether the cookie rides along on cross-site requests — the foundation of CSRF defense. Use Lax (or Strict); SameSite=None WITHOUT Secure is rejected by browsers.
Recommended: SameSite=Lax
proxy_cookie_flags ~ samesite=lax secure httponly; Frequently asked questions
Which security headers matter most?
Content-Security-Policy (CSP) is the most decisive against XSS; followed by Strict-Transport-Security (HSTS), X-Frame-Options/frame-ancestors (clickjacking), X-Content-Type-Options and Referrer-Policy. The tool grades them all and weights the CSP.
How do I get an A+ on security headers?
Use a restrictive CSP (no unsafe-inline or wildcard in script-src), long HSTS with includeSubDomains and preload, X-Frame-Options: DENY or frame-ancestors, X-Content-Type-Options: nosniff, a strict Referrer-Policy and a Permissions-Policy that locks sensitive APIs — and remove headers that leak your stack.
What does each grade band mean?
The score runs from 0 to 100 and maps to A+..F. Without a CSP the grade is capped, because it's the most important defense; missing, weak or info-leaking headers drag the score down.
Are the headers I paste sent to any server?
No. The analysis runs entirely in your browser — no header is sent anywhere.
Want to know if your application is exposed?
Headers are just the surface. IntruderLabs runs the pentest that finds and proves the real flaws before an attacker does — under your brand, with white-label reporting.
Talk to us →