Security Headers Inspector

Instantly check security headers for any website — inspired by securityheaders.com

Security Headers Inspector gives every website you visit an instant letter grade (A+ through F) based on its HTTP security headers — using the same weighted scoring methodology as securityheaders.com. 🔒 HOW IT WORKS Every page you visit is automatically graded. The badge shows the letter grade in real time. Click the icon for the full report — no external requests, everything runs locally in your browser. 📊 WHAT YOU GET • Letter grade (A+ to F) with score percentage • Quick status pills showing which headers are present or missing • Expandable detail cards for every header with: - Current value or "Not set" - Color-coded verdict (good / warn / bad) - Plain-English explanation of what the header does - Why it matters for security - Recommended value to set • Grade impact badges showing how many points each header contributes 🔍 DEEP ANALYSIS • CSP analysis — flags wildcards, data: URIs, http: sources, unsafe-inline/unsafe-eval, missing default-src/object-src/base-uri, and correctly handles strict-dynamic/nonce/hash negation • Cookie security — checks every Set-Cookie for Secure, HttpOnly, SameSite, and __Secure-/__Host- prefixes • Information disclosure detection — flags headers leaking server versions, frameworks, or debug info • Deprecated header detection — identifies headers that are no longer useful (Expect-CT, HPKP, etc.) 🎯 HEADERS EVALUATED FOR GRADING • Content-Security-Policy (25 pts) • Strict-Transport-Security (25 pts) • X-Frame-Options (20 pts) • X-Content-Type-Options (20 pts) • Referrer-Policy (15 pts) • Permissions-Policy (15 pts) Also reports on Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy, X-XSS-Protection, X-Robots-Tag, and Alt-Svc as informational headers. 🛡️ ADDITIONAL FEATURES • Color-coded raw headers — security headers in green, info disclosure in amber, deprecated in purple • Cookie values blurred by default for privacy (click to reveal) • Copy all raw headers to clipboard with one click • Quick-scan buttons to check on SecurityHeaders.com and SSL Labs • Right-click context menu for external scans • Light and dark theme with persistent preference • Works on Chrome and Brave ⚡ PRIVACY All analysis runs locally in your browser. No data is sent to any server. The extension only reads HTTP response headers from pages you visit — it does not modify any page content or inject scripts. Built for developers, security engineers, and anyone who cares about web security.