Security Headers Inspector

Tracking since Apr 16, 2026.

Changelog

• May 4, 2026
  description

  Security Headers Inspector gives every website you visit an instant letter grade (A+ through F) based on its HTTP security headers — using the same weighted scoring methodology as securityheaders.com.
  
  🔒 HOW IT WORKS
  Every page you visit is automatically graded. The badge shows the letter grade in real time. Click the icon for the full report — no external requests, everything runs locally in your browser.
  
  📊 WHAT YOU GET
  • Letter grade (A+ to F) with score percentage
  • Quick status pills showing which headers are present or missing
  • Expandable detail cards for every header with:
    - Current value or "Not set"
    - Color-coded verdict (good / warn / bad)
    - Plain-English explanation of what the header does
    - Why it matters for security
    - Recommended value to set
  • Grade impact badges showing how many points each header contributes
  
  🔍 DEEP ANALYSIS
  • CSP analysis — flags wildcards, data: URIs, http: sources, unsafe-inline/unsafe-eval, missing default-src/object-src/base-uri, and correctly handles strict-dynamic/nonce/hash negation
  • Cookie security — checks every Set-Cookie for Secure, HttpOnly, SameSite, and __Secure-/__Host- prefixes
  • Information disclosure detection — flags headers leaking server versions, frameworks, or debug info
  • Deprecated header detection — identifies headers that are no longer useful (Expect-CT, HPKP, etc.)
  
  🎯 HEADERS EVALUATED FOR GRADING
  • Content-Security-Policy (25 pts)
  • Strict-Transport-Security (25 pts)
  • X-Frame-Options (20 pts)
  • X-Content-Type-Options (20 pts)
  • Referrer-Policy (15 pts)
  • Permissions-Policy (15 pts)
  
  Also reports on Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy, X-XSS-Protection, X-Robots-Tag, and Alt-Svc as informational headers.
  
  🛡️ ADDITIONAL FEATURES
  • Color-coded raw headers — security headers in green, info disclosure in amber, deprecated in purple
  • Cookie values blurred by default for privacy (click to reveal)
  • Copy all raw headers to clipboard with one click
  • Quick-scan buttons to check on SecurityHeaders.com and SSL Labs
  • Right-click context menu for external scans
  • Light and dark theme with persistent preference
  • Works on Chrome and Brave
  
  ⚡ PRIVACY
  All analysis runs locally in your browser. No data is sent to any server. The extension only reads HTTP response headers from pages you visit — it does not modify any page content or inject scripts.
  
  Built for developers, security engineers, and anyone who cares about web security.

  Security Headers Inspector gives every website you visit an instant letter grade (A+ through F) based on its HTTP security headers, using the same weighted scoring methodology as securityheaders.com
  
  🔒 HOW IT WORKS
  Every page you visit is automatically graded. The badge shows the letter grade in real time. Click the icon for the full report. No external requests, everything runs locally in your browser.
  
  📊 WHAT YOU GET
  • Letter grade (A+ to F) with score percentage
  • Quick status pills showing which headers are present or missing
  • Expandable detail cards for every header with:
    - Current value or "Not set"
    - Color-coded verdict (good / warn / bad)
    - Plain-English explanation of what the header does
    - Why it matters for security
    - Recommended value to set
  • Grade impact badges showing how many points each header contributes
  
  🔍 DEEP ANALYSIS
  • CSP analysis: flags wildcards, data: URIs, http: sources, unsafe-inline/unsafe-eval, missing default-src/object-src/base-uri, and correctly handles strict-dynamic/nonce/hash negation
  • Cookie security: checks every Set-Cookie for Secure, HttpOnly, SameSite, and __Secure-/__Host- prefixes
  • Information disclosure detection: flags headers leaking server versions, frameworks, or debug info
  • Deprecated header detection: identifies headers that are no longer useful (Expect-CT, HPKP, etc.)
  
  🎯 HEADERS EVALUATED FOR GRADING
  • Content-Security-Policy (25 pts)
  • Strict-Transport-Security (25 pts)
  • X-Frame-Options (20 pts)
  • X-Content-Type-Options (20 pts)
  • Referrer-Policy (15 pts)
  • Permissions-Policy (15 pts)
  
  Also reports on Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy, X-XSS-Protection, X-Robots-Tag, and Alt-Svc as informational headers.
  
  🛡️ ADDITIONAL FEATURES
  • Color-coded raw headers: security headers in green, info disclosure in amber, deprecated in purple
  • Cookie values blurred by default for privacy (click to reveal)
  • Copy all raw headers to clipboard with one click
  • Quick-scan buttons to check on [SecurityHeaders.com](http://SecurityHeaders.com) and SSL Labs
  • Right-click context menu for external scans
  • Light and dark theme with persistent preference
  • Works on Chrome and Brave
  
  ⚡ PRIVACY
  All analysis runs locally in your browser. No data is sent to any server. The extension only reads HTTP response headers from pages you visit. It does not modify any page content or inject scripts.
  
  Built for developers, security engineers, and anyone who cares about web security.

• May 4, 2026
  short_description

  Instantly check security headers for any website — inspired by securityheaders.com

  Instantly check security headers for any website, inspired by securityheaders.com

Permissions & access

Permissions

alarmswebRequesttabscontextMenusstorage

Host access

<all_urls>

Screenshots