HTTP Security Headers Generator & Analyzer

Generate a hardened header set, or paste yours and get a graded report.

Choose a strictness level to generate a recommended set of security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy), or paste your current response headers to get a letter grade and prioritised gaps.

Recommended headers

Tighten script-src to your real script origins before shipping. Test with report-only first.

Get these from your browser DevTools → Network → the document request → Response Headers.

Grade
ScoreOut of 100

Runs entirely in your browser — nothing you enter is sent to a server.

Free forever · No signup

Need this for real, on your stack?

These free tools are a taste of how we think. We’re a senior software team across Romania & Pakistan that ships deep technical work — platforms, infra, data and the gnarly bits in between.

Talk to our engineers →

The headers that matter

A strong Content-Security-Policy plus Strict-Transport-Security covers the majority of low-effort, high-impact hardening. The rest are defence-in-depth. Generated CSPs are a sane starting point — tighten script-src to your actual origins.

Verify after deploy

This grades what you paste; always re-check live with a scanner once shipped.

Built by WeWorkWorldwide — a senior software team in Romania & Pakistan that ships deep technical work. Need this turned into something production-grade for your stack? Talk to our engineers →

More developer tools

JWT Decoder & Debugger Decode and inspect a JSON Web Token. Header, payload, claims, expiry — in your browser. Open tool →
Hash Generator (MD5, SHA, HMAC) Hash text or files with MD5, SHA-1/256/384/512 and HMAC variants — live in your browser. Open tool →
Base64, URL & HTML Entity Encoder/Decoder Three encoders, one keyboard shortcut. Includes Base64URL (the JWT one). Open tool →
All developer tools