Security Header Audit

Last updated:

Comprehensive security configuration audit for any website via bookmarklet. Checks Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, cookie security flags, mixed content, and third-party script trust boundaries. Grades overall security posture A through F.

Drag to your bookmarks bar:

🛡️ Audit Security
1
Install — drag the button to your bookmarks bar
2
Visit any website to audit
3
Click the bookmarklet — it checks security headers, cookies, scripts, and resources

Runs on any website — requests come from your browser, not MaxIntel's servers.

🛡️

Install the bookmarklet above, then use it on any website

Security Header Audit — Website Configuration Analysis

Security headers are the first line of defense for web applications. They instruct browsers to enforce security policies that prevent common attacks like XSS, clickjacking, and data injection. This tool audits a site's security configuration from the client side, checking what protections are actually delivered to visitors.

Headers Checked

Content-Security-Policy (XSS prevention), X-Frame-Options (clickjacking), X-Content-Type-Options (MIME sniffing), Referrer-Policy (URL leakage), Subresource Integrity (supply chain attacks), and HTTPS enforcement.

Content Security Policy
A header that tells browsers which sources of content are allowed to load. A strong CSP is the most effective defense against XSS attacks.
Subresource Integrity
Hash-based verification that third-party scripts have not been tampered with. Without SRI, a compromised CDN could inject malicious code.

🛡️ Security Header Audit — FAQ

Can this see all HTTP headers?

No — JavaScript cannot read HTTP response headers directly. The tool checks meta tag equivalents, which many sites use as alternatives. For full header analysis, use browser DevTools or curl.

What does the grade mean?

A (90-100): Excellent configuration. B (80-89): Good with minor gaps. C (65-79): Adequate but missing important protections. D (50-64): Significant gaps. F (<50): Major security issues.

Does this test for vulnerabilities?

It tests for security misconfigurations, not application-level vulnerabilities. Missing headers indicate increased attack surface but do not confirm exploitability.

Why check for SRI on third-party scripts?

Without SRI, if a CDN or third-party host is compromised, attackers can modify the script and your site will load the malicious version. SRI ensures the script matches a known hash.

Can I audit my own site during development?

Yes — this is an excellent tool for verifying your security headers are properly configured before deployment. Run it on localhost or staging environments.

🍪

Cookie & Tracker Exposer

Audit cookies, trackers, and fingerprinting.
🔬

Tech Stack Detector

Detect CMS, frameworks, and server software.
🧲

Page OSINT Extractor

Extract intelligence from any webpage.
🗺️

Attack Surface Mapper

Map exposed services and entry points.