π‘οΈ I Built a Free HTTP Header Analyzer β and Most Sites Score an F
A few months ago, I was reviewing the Nginx configuration of a side project and decided to run it through a security headers scanner. I pasted the response headers into a popular online tool, hit Enter, and waited.
Grade F. 12/100.
I was stunned. I had HTTPS, a valid certificate, and a modern stack. But I was missing every critical security header. No HSTS, no CSP, no X-Frame-Options. My site was a sitting duck for clickjacking, XSS, and protocol downgrade attacks, and I didnβt even know it.
That experience led me to build DevToolbox HTTP Header Analyzer β a completely client-side tool that grades your security headers from A+ to F, explains every single one in plain English, and gives you ready-to-paste fixes. And it never sends your headers to any server.
Try It Yourself in 15 Seconds
- Open the HTTP Header Analyzer in a new tab.
- Copy the headers below (a well-configured example that scores A+).
- Paste them into the tool, click Analyze headers, and watch the magic happen.
HTTP/2 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Youβll see an A+ badge, a security score of 97/100, and a detailed breakdown of every header. Each line is explained β what it does, what happens if itβs missing, and how to fix it.
Now paste this insecure configuration instead, just to see the contrast:
HTTP/1.1 200 OK
Server: Apache/2.4.51 (Ubuntu)
X-Powered-By: PHP/8.1.0
Grade F. One critical header, two warnings, and zero protections.
What Makes This Different from Other Scanners?
100% client-side β your headers never leave your browser. No data is sent to any server, ever. You can even disconnect from the internet after loading the page and it still works.
Plain-English explanations β you donβt just get a checklist of missing headers. Each one is described in simple terms: what it protects against, what the recommended value is, and how to configure it on Nginx, Apache, Express, or Vercel.
Before/After comparison mode β making changes to your server config? Paste your old headers and your new headers side by side to see exactly what improved.
Itβs not just about security β Cache-Control, CORS, Content-Type, and even informational headers like Server and X-Powered-By are analyzed and explained.
A Real Example from My Own Server
After that humiliating F grade, I spent ten minutes pasting the recommended fixes into my Nginx config:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self';" always;
server_tokens off;
I reloaded Nginx, re-pasted the response headers into the analyzer, and the grade jumped from F to A+. Ten minutes to go from a security disaster to a solid configuration.
Part of a Bigger Toolbox
The HTTP Header Analyzer is one of several free, client-side tools Iβve built under the DevToolbox umbrella. No sign-ups, no ads, no data collection. Every tool runs entirely in your browser.
You might also find these useful:
JWT Decoder & Security Analyzer β spots alg: none, algorithm confusion, and expired tokens
Unix Timestamp Converter β all formats, UUID v1/v7 decoder, ObjectID timestamps
SQL Formatter & Explainer β format, detect anti-patterns, convert dialects
Go grab your response headers (from DevTools β Network β Headers, or curl -I https://yoursite.com), paste them into the analyzer, and see what score you get. You might be surprised.
π Try the HTTP Header Analyzer now