Yoryantra
← Back to Tools

Security Headers Scanner

Review security-related response headers that the browser is allowed to expose for a URL. CORS rules can limit or hide results.

Security Header Results

Browser-visible security header results will appear here after scanning a URL.

Browser Visibility Limitation

A browser cannot reliably inspect every response header on another origin. CORS and Access-Control-Expose-Headers decide which headers JavaScript can read. Therefore, “Not visible” does not prove that a header is missing. Use a server-side scanner or your browser network panel for a complete check.

Reviewing Security-Related Response Headers

Security-related HTTP headers tell supporting browsers how to handle framing, transport, content loading, referrer data, browser features, and selected cross-origin behaviour. Their usefulness depends on the page, application, and exact header value.

This scanner performs a browser request and reports only the headers exposed to JavaScript. It is useful for a quick first look, but it is not proof that a hidden header is absent or that a visible policy is correct.

How to Use This Scanner

  1. Enter an HTTP or HTTPS URL.
  2. Run the browser-based scan.
  3. Review visible values and the final response URL.
  4. Treat “Not visible” as an inconclusive result, not as “Missing.”
  5. Confirm the complete response with server-side tools or browser developer tools.

What the Results Can and Cannot Confirm

  • A visible value confirms that this browser request could read that header.
  • A hidden value may still exist on the response.
  • Header presence does not prove that the value is secure or suitable.
  • Some headers are situational and should not be added to every site.
  • This scan does not test application logic, authentication, dependencies, or infrastructure.

Frequently Asked Questions

Why does a header show as not visible?

The browser may hide it because the target response does not expose that header through CORS. Not visible is different from missing.

Does every website need every listed header?

No. CSP, HSTS, framing controls, permissions rules, and cross-origin isolation headers have different purposes and deployment requirements.

Does finding a CSP header mean the policy is safe?

No. A CSP can be present but too broad, broken, or unsuitable for the page. Review the directives and test the application.

Is this a complete website security audit?

No. It is a limited browser-visible header review. A security audit also covers application behaviour, access control, dependencies, infrastructure, monitoring, and testing.