HTTP security headers
Inspect CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more. Scored and graded against OWASP recommendations.
Fetches the domain over HTTPS server-side and inspects the response headers.
Server-side check -- The request originates from our server. No data is stored. Headers are checked against OWASP recommended values -- a lower score does not mean the site is insecure, only that defensive headers are absent.
Guide
HTTP Security Headers: what it does and how to use it
What this Security tool does
This checker reviews important public HTTP security headers. Headers such as CSP, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy help browsers enforce safer behavior for users.
How it works
Enter a public domain and SAVR fetches response headers over HTTPS. It scores selected headers, explains why each one matters, and provides fix examples. Redirects and private targets are blocked for safety.
Examples
- Check if HSTS is enabled.
- Find missing clickjacking protection.
- Review CSP quality before launch.
Security considerations
A low score does not prove a site is compromised, and a high score does not guarantee security. Headers are one layer of defense.
FAQ
Which header matters most?
It depends on the site, but CSP and HSTS are often high-impact.
Can headers break a site?
Yes. Test strict CSP and permissions policies carefully before production rollout.
Does SAVR store results?
No. The check returns current public header data.