Back to tool

Security Headers Auditor — User Guide

This tool fetches a URL server-side, inspects its HTTP response headers, grades the security posture, and generates a copy-paste Next.js config to fix what's missing. It's grounded in MDN's HTTP headers reference.

Quick start

  1. Enter a domain or full URL and click Scan headers.
  2. Read the grade (A+ to F) and the per-header breakdown.
  3. Copy the generated next.config.js to apply the recommended headers.

Headers checked

  • Content-Security-Policy (CSP) — restricts what resources can load; the strongest XSS defense. Flagged as a warning if it relies on unsafe-inline / unsafe-eval.
  • Strict-Transport-Security (HSTS) — forces HTTPS. Wants a max-age of at least 6 months.
  • X-Frame-Options — blocks clickjacking. Satisfied by a CSP frame-ancestors directive too.
  • X-Content-Type-Optionsnosniff stops MIME sniffing.
  • Referrer-Policy — limits referrer leakage to other origins.
  • Permissions-Policy — disables unneeded browser features (camera, microphone, geolocation).
  • Cross-Origin-Opener-Policy (COOP) — isolates your browsing context.
  • Cross-Origin-Embedder-Policy (COEP) — required with COOP for cross-origin isolation.

How the grade works

Each header scores pass (1), warn (0.5), or fail (0). The average becomes a 0–100 score and a letter grade (A+ ≥ 95, A ≥ 85, B ≥ 70, C ≥ 55, D ≥ 40, else F). The summary also shows the pass/warn/fail counts.

Applying the fix

The next.config.js block contains the recommended value for every header that didn't fully pass (or the full baseline set if everything already passes). Paste it into your project, adjust the CSP to your app's real sources, and redeploy.

Tune the CSP carefully — a too-strict policy can block your own scripts, styles, or images. Start in report-only mode if you're unsure.

Caveats

  • Some sites send different headers to bots than to browsers; results reflect what the server returned to this tool.
  • A CDN or WAF (Cloudflare, Akamai, …) may add or strip headers at the edge that you won't see in your app config.
  • The tool reads the response of the URL you enter — check both your homepage and a representative deep page.