What does Content-Security-Policy (CSP) do?

CSP tells browsers which origins may execute script, load styles, embed frames, connect with XHR/fetch, and more. A strict CSP shrinks XSS blast radius by blocking inline script unless you carefully use nonces or hashes. Start in report-only mode, collect violations, then enforce.

Should I use HSTS preload?

Preload adds your site to browser preload lists with long max-age and includeSubDomains (and often preload token). It is powerful for downgrade protection but dangerous if you cannot serve HTTPS everywhere covered by the directive—broken HTTP-only subdomains become unreachable. Validate with staging and the [SSL certificate checker](/ssl-certificate) first.

Is X-Frame-Options still needed?

Many sites now prefer CSP frame-ancestors, which is more expressive. X-Frame-Options still helps older clients. Using both consistently (without contradictions) is common during transition.

What is Permissions-Policy (formerly Feature-Policy)?

It disables powerful browser features (camera, geolocation, payment, sync XHR) by default per origin or embed. Useful for reducing attack surface on content-heavy sites and sandboxes.

Why analyze headers if I already have TLS?

TLS protects bytes on the wire; headers shape what the browser is allowed to do after decryption. Clickjacking, XSS, MIME sniffing, and referrer leakage are largely HTTP-layer problems. Pair headers with a [TLS scanner](/tls-checker) for defense in depth.

Security Headers Analyzer - CSP & HSTS

Inspect security-related HTTP response headers for any URL. Quickly see whether CSP, HSTS, and framing protections are present, coherent, and appropriate for your app.

Try it now: Open the free Security Headers Analyzer - CSP & HSTS tool — no sign-up required.

Headers are part of your application contract

After TLS terminates, the browser enforces policy from response headers. A missing X-Content-Type-Options or weak Referrer-Policy will not show up in a certificate viewer, yet they affect how much attacker-controlled content can influence your users. Treat headers like code: version them, review them in PRs, and test them on error pages and APIs, not only the marketing homepage.

High-value headers and what “good” looks like

Strict-Transport-Security should appear only on HTTPS responses, with a max-age measured in months or years once you are confident. Content-Security-Policy should avoid unsafe-inline for script in the long run; use nonces tied to per-request HTML rendering where frameworks allow. frame-ancestors 'none' or an explicit allowlist beats a vague DENY/SAMEORIGIN split across CSP and X-Frame-Options. Permissions-Policy can disable camera and microphone for sites that never need them. Cross-Origin-Opener-Policy and related headers matter when you harden against Spectre-class issues alongside isolated contexts.

CSP rollout that does not brick production

Teams fail CSP by jumping straight to enforcement. Use Content-Security-Policy-Report-Only with a collector endpoint, fix the noisy violations (often third-party widgets and inline event handlers), then flip enforcement incrementally. Remember CDNs may strip or add headers—compare origin versus edge with this analyzer. If you embed customer subdomains, frame-ancestors must reflect that graph. When assets move to a new host, update CSP before DNS cutover; otherwise browsers block your own JS after you change DNS lookup targets.

HSTS, redirects, and certificate alignment

HSTS is only trustworthy if users never establish sensitive sessions over plain HTTP first. Implement 301 redirects to HTTPS site-wide, fix mixed content, then add HSTS with a small max-age, increase over time, and consider preload only when subdomains are safe. Certificate name mismatches—caught with the SSL certificate checker—pair badly with HSTS because users cannot click through warnings without friction. Combine with TLS scanner results so you do not advertise downgrade protection while still offering TLS 1.0 on an alternate listener.

APIs, microservices, and consistency

JSON APIs often omit security headers because “browsers do not render JSON.” Modern browsers still MIME-sniff in edge cases, and embedded docs or Swagger UIs inherit your header story. Microservices behind a gateway should centralize policy at the edge, then allow stricter headers on individual services if needed. Document exceptions (e.g., permissive CSP only on a legacy admin path) instead of inheriting accidental defaults from framework samples. Even before a full CSP program, add Referrer-Policy, X-Content-Type-Options: nosniff, a clear Permissions-Policy, and a framing policy that matches your embed strategy. Re-run this analyzer after every CDN or WAF rule change—those layers love to strip headers you set at origin.

Frequently Asked Questions

What does Content-Security-Policy (CSP) do?: CSP tells browsers which origins may execute script, load styles, embed frames, connect with XHR/fetch, and more. A strict CSP shrinks XSS blast radius by blocking inline script unless you carefully use nonces or hashes. Start in report-only mode, collect violations, then enforce.
Should I use HSTS preload?: Preload adds your site to browser preload lists with long max-age and includeSubDomains (and often preload token). It is powerful for downgrade protection but dangerous if you cannot serve HTTPS everywhere covered by the directive—broken HTTP-only subdomains become unreachable. Validate with staging and the [SSL certificate checker](/ssl-certificate) first.
Is X-Frame-Options still needed?: Many sites now prefer CSP frame-ancestors, which is more expressive. X-Frame-Options still helps older clients. Using both consistently (without contradictions) is common during transition.
What is Permissions-Policy (formerly Feature-Policy)?: It disables powerful browser features (camera, geolocation, payment, sync XHR) by default per origin or embed. Useful for reducing attack surface on content-heavy sites and sandboxes.
Why analyze headers if I already have TLS?: TLS protects bytes on the wire; headers shape what the browser is allowed to do after decryption. Clickjacking, XSS, MIME sniffing, and referrer leakage are largely HTTP-layer problems. Pair headers with a [TLS scanner](/tls-checker) for defense in depth.

Ready to try it yourself?

Use Security Headers Analyzer - CSP & HSTS for Free