Audit tool

Fetch real headers and inspect CSP coverage quickly.

Browsers do not expose arbitrary response headers cross-origin, so this page can fetch through a proxy or let you paste headers from DevTools or curl -I for the same analysis flow.

Choose an input source

Mode

Target URL If you omit the scheme, the tool will prepend https://.

Proxy If one proxy fails, switch providers and try again.

No check has been run yet.

Fetched headers

Summary

No analysis yet.

Missing headers

Run a check to see which recommended headers are missing.

Recommendations

Start with CSP and HSTS, then tighten framing, MIME handling, and referrer policy.

Copy-ready fixes

After the check, this area will expand with example snippets for Nginx, Cloudflare Pages, and Next.js.

Recent checks

No checks saved yet.

Why proxy fetching exists here

This page is designed for real-world troubleshooting, where you often need to inspect a live site quickly.

Browsers block direct reads

Normal frontend code cannot read arbitrary cross-origin response headers, so a proxy is needed for URL-based checks.

Same audit logic either way

Whether the headers are fetched remotely or pasted manually, the same header assessment logic is used.

Fallback stays simple

If the proxy path fails because of rate limits or WAF rules, switch to paste mode and continue the analysis.