Have you ever wanted to know if a site issues a HTTP Strict Transport Security header? What about if they’re using Content Security Policy, HTTP Public Key Pinning or perhaps the X-Frame-Options header? When these questions came up, I would invariably find myself looking in either the Chrome Developer Tools or sat at a command line using cURL. Whilst both of these methods would retrieve the raw information required, there was still a level of analysis required and neither of them presented the information in a user friendly format. This is where SecurityHeaders.io steps in. This online scanning service is absolutely free.
What type of checks it executes?
- Web server type and version detection
- Checking headers parameters like: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Public-Key-Pins, Alternate-Protocol, X-Page-Speed
- Detects server IP address
The HTTP response headers provide huge levels of protection and it’s important that sites deploy them. By providing an easy mechanism to assess them, and further information on how to deploy missing headers, we can drive up the usage of security based headers across the web.
How to use it?
To use SecureHeaders.io you just need to visit this service, enter your url into the field and start scanning. After scanning is finished, you will see the results and rating of your website from F to A. Also it is possible to hide results and not show them publicly, just need to click on “Hide results” check-box.