HTTPHeaderCheck
HTTPHeaderCheck checks the HTTP security headers of a website and verifies it against OWASP recommendations. It checks for the presence of important headers such as HSTS (HTTP Strict Transport Security) and CSP (Content Security Policy). The tool also validates additional security headers like X-Frame-Options and X-XSS-Protection.
Result
| URL |
|
|
|---|---|---|
| Executed |
|
|
| Strict-Transport-Security (HSTS) |
|
The Strict Transport Security Header (HSTS) protects the website against protocol downgrade attacks. This header informs the client to only use secure HTTPS connections. |
| X-Frame-Options |
|
The X-Frame-Options protects web applications against clickjacking attacks. It instructs the browser if the content can be displayed within frames. |
| X-Content-Type-Options |
|
The X-Content-Type-Options header will prevent browsers from interpreting files as a different MIME type as specified in the Content-Type header. |
| Content-Security-Policy |
|
The Content-Security-Policy (CSP) is a toolset to improve the security of websites. |
| X-Permitted-Cross-Domain-Policies |
|
The X-Permitted-Cross-Domain-Policies header provides a way to configure a XML policy file which defines permission to handle data access across domains. |
| Referrer-Policy |
|
The Referrer-Policy header defines which referrer information should be included in the Referer request header. |
| Cross-Origin-Resource-Policy |
|
The Cross-Origin-Resource-Policy (CORP) header let the resource owner define if other sides are allowed to access resources. |
| Cross-Origin-Embedder-Policy |
|
The Cross-Origin-Embedder-Policy (COEP) header let the loader of resources define if resources from other sides are allowed. |
| Cross-Origin-Opener-Policy |
|
The Cross-Origin-Opener-Policy (COOP) header allows to define if a top-level document is allowed to be loaded in another browsing context. |
| Cache-Control |
|
The Cache-Control header instructs the browser how to handle caching of requests and responses. This header could be used to ensure no sensitive data is cached on the client. |
| Feature-Policy |
|
This header is deprecated. |
| Expect-CT |
|
This header is deprecated. |
| Public-Key-Pins |
|
This header is deprecated. |
| X-XSS-Protection |
|
This header is deprecated. |
| Pragma |
|
This header is deprecated. |
- Legend
- Recommended setting
- Acceptable configuration
- Header ignored
- Header not found
- Investigation recommended
- Header is deprecated
- Warning
- Syntax error
- Insecure configuration
On binsec.tools you will find free online tools for pentesting, which are also used within the binsec group conducting real penetration tests. The free pentest tools are primarily used to collect information and enrich these with other data. The pentest tools of binsec.tools do not carry out active attacks against target systems themselves.
binsec – Experts in Penetration Testing
With over 10 years of experience in penetration testing, binsec GmbH is a leading IT security company. Our team of certified experts identifies vulnerabilities in IT systems, web applications, and mobile apps – ensuring maximum protection against cyber threats.
+49 698700111-0