Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
HTTP headers tool
Specialists bookmark header catalogs—busy builders want confirmation their CSP, HSTS, anti-framing, and MIME protections survived deployment without digging through curl transcripts.
Paste a URL for structured inspection of TLS behavior plus CSP, HSTS, Permissions-Policy, referrer controls, MIME sniffing defenses, and framing guidance whenever present—we combine those signals into Scorifya’s overall score rather than isolated header trivia.
This page is written for people searching for http security headers checker—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — clickjacking protections missing
Baseline HTTPS holds while framing defenses lag—a frequent gap after embedding partner widgets.
Anti-framing protections absent
Neither Content-Security-Policy frame-ancestors nor legacy framing headers appeared—evaluate exposure before embedding sensitive flows.
Technical snapshot excerpt
strict-transport-security may already exist—pair it with framing directives once iframe usage is mapped.
Example B — mature HSTS configuration
Transport security headers demonstrate commitment—remaining deductions typically tie to CSP granularity.
HSTS tuned with preload intent
long max-age, includeSubDomains, and preload tokens indicate readiness—ensure every subdomain terminates HTTPS before requesting preload listing.
Permissions-Policy optional tightening
Some powerful APIs remain broadly enabled—narrow directives once product teams confirm unused sensors.
Mirror staging headers into production configs
Infrastructure-as-code drift causes regressions—keep Scorifya snapshots beside deployment manifests.
Combine CSP with Permissions-Policy intentionally
Both layers shrink browser capability exposure—coordinate owners so policies reinforce rather than contradict.
Document iframe dependencies before tightening framing
Marketing embeds fail loudly when frame-ancestors omit partner origins—inventory allowlists collaboratively.
Automate reruns post CDN rollout
Edge updates propagate asynchronously—schedule rescans after caches invalidate globally.
Educate reviewers with methodology links
Security champions can cite How Scorifya works when debating penalty severity versus risk appetite.
For weights and penalties behind each category, see How Scorifya works.
HSTS, CSP and framing directives, MIME sniffing defenses, referrer policies, Permissions-Policy where sent, plus baseline hygiene cues documented on How Scorifya works.
HTTP headers are case-insensitive names—we normalize comparisons before scoring regardless of casing emitted upstream.
We evaluate effective outcomes per methodology—duplicate declarations usually merit cleanup even when benign.
Yes if the URL is public HTTPS—remember browsers fetch differently than APIs consumed server-to-server.
We highlight missing prerequisites—official preload submissions still require manual verification against registry rules.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.