Crawlsonar

HTTP Header Checker

Inspect a URL’s security headers, redirect chain, cookie flags and HTTPS setup — with issues and fixes for the ones that matter.

Headers this tool checks

  • Strict-Transport-Security — forces HTTPS, stops SSL-stripping.
  • Content-Security-Policy — the main defence against XSS and injection.
  • X-Frame-Options / frame-ancestors — clickjacking protection.
  • X-Content-Type-Options: nosniff — stops MIME sniffing.
  • Referrer-Policy, Permissions-Policy — privacy and capability control.
  • Cross-Origin-*-Policy — isolation headers.
  • Cookie flags — Secure, HttpOnly, SameSite on every Set-Cookie.

Common problems and fixes

HTTP doesn’t redirect to HTTPS

Add a 301 from every HTTP URL to its HTTPS equivalent, then add HSTS so browsers never try HTTP again.

No Content-Security-Policy

Start with Content-Security-Policy-Report-Only to see what a policy would block, tune it, then enforce.

Cookies without Secure/HttpOnly/SameSite

Session and auth cookies should always set all three to resist theft, XSS reads and CSRF.

Related tools

Last reviewed: 2026-07-09.

Frequently asked questions

Which security headers should I have?

At minimum HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and a Content-Security-Policy. This tool flags which are missing.

Does it follow redirects?

Yes — it traces the full redirect chain and inspects the headers and cookie flags on the final response.