Security Header & CSP Analyzer

Security Header & CSP Analyzer — Audit HTTP Security Headers Online

Enter one or more URLs to audit their HTTP security posture: Content-Security-Policy, HSTS, X-Frame-Options, cookie flags and more. Get a tailored CSP, copy-paste fix snippets for Nginx/Apache/Express/Cloudflare/CloudFront, and an exportable IaC policy. For background, see MDN's CSP guide.

Analyze Your Security Headers — Enter URLs Below
AWS CLOUDFRONT

Get a ready-to-apply CloudFront Response Headers Policy

No origin or Lambda@Edge changes needed — CloudFront applies the headers at the edge. Every report tailors this policy to the exact headers your site is missing.

  • Content-Security-Policy tailored to your site's actual scripts/styles/frames
  • HSTS with includeSubDomains + preload
  • X-Frame-Options, Referrer-Policy and the rest of the OWASP baseline
  • Also exported as Terraform, OpenTofu, CloudFormation, Pulumi and boto3
{
  "Name": "SecurityHeadersPolicy",
  "SecurityHeadersConfig": {
    "ContentSecurityPolicy": {
      "ContentSecurityPolicy": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'self'; upgrade-insecure-requests",
      "Override": true
    },
    "StrictTransportSecurity": {
      "AccessControlMaxAgeSec": 63072000,
      "IncludeSubdomains": true,
      "Preload": true,
      "Override": true
    },
    "ContentTypeOptions": { "Override": true },
    "FrameOptions": { "FrameOption": "DENY", "Override": true },
    "ReferrerPolicy": {
      "ReferrerPolicy": "strict-origin-when-cross-origin",
      "Override": true
    }
  }
}