A web application that analyzes HTTP security headers of any website and provides a security score with actionable recommendations.
This tool helps developers and security professionals quickly audit websites for common security header misconfigurations. It checks for essential security headers and provides educational information about each one.
✅ Real-time header analysis ✅ Security scoring (0-100) ✅ 7 critical headers checked ✅ Detailed explanations ✅ Actionable recommendations
⏳ Historical tracking ⏳ Bulk domain analysis ⏳ Confidence scores ⏳ Export reports as PDF ⏳ SSL/TLS certificate analysis
- Real-time Header Analysis: Fetch and analyze security headers from any URL
- Security Scoring: Get an overall security score based on header presence and configuration
- Detailed Explanations: Learn what each security header does and why it matters
- Best Practice Recommendations: Receive specific suggestions to improve security posture
- Visual Dashboard: Color-coded results showing passing/failing headers
- Content-Security-Policy (CSP): Prevents XSS attacks by controlling resource loading
- Strict-Transport-Security (HSTS): Forces HTTPS connections
- X-Frame-Options: Prevents clickjacking attacks
- X-Content-Type-Options: Prevents MIME-type sniffing
- Referrer-Policy: Controls referrer information leakage
- Permissions-Policy: Controls browser feature access
- X-XSS-Protection: Legacy XSS filter (deprecated but still checked)
- Frontend: React, HTML, CSS
- Backend: Node.js, Express
- HTTP Client: Axios
# Clone the repository
git clone https://github.com/yourusername/security-headers-checker.git
# Navigate to project directory
cd security-headers-checker
# Install dependencies
npm install
# Start the development server
npm start- Enter a website URL (e.g.,
https://example.com) - Click "Check Headers"
- View the security analysis results
- Review recommendations for missing or misconfigured headers
POST /api/check-headers
Body: { "url": "https://example.com" }
Response: {
"headers": { ... },
"score": 85,
"results": [ ... ],
"recommendations": [ ... ]
}
- CORS is enabled for development (restrict in production)
- User input is validated and sanitized
- No sensitive data is stored
- All requests are logged for monitoring
This project demonstrates understanding of:
- Common web security vulnerabilities
- HTTP security headers and their purposes
- Security best practices and OWASP guidelines
- Full-stack development with security focus
- Add SSL/TLS certificate analysis
- Implement historical tracking of header changes
- Add comparison feature for multiple domains
- Export reports as PDF
- Add API rate limiting
- Implement caching for faster repeat checks
Contributions are welcome! Please feel free to submit a Pull Request.
MIT License - feel free to use this project for learning or professional purposes.
Cristina GtzName
- GitHub: @justbycris
- LinkedIn: Cristi Gtz Name
Built as a security assessment tool to help developers improve their web application security posture.
Note: This tool is for educational and assessment purposes. Always test in accordance with applicable laws and with proper authorization.