Security Headers

Security Headers is a fast, privacy-first Chrome extension that inspects the HTTP response headers on any website and gives you an instant letter grade. v1.3.0 fixes three grading accuracy bugs and adds a 58-test regression suite — making it the most accurate header checker in the marketplace.

HOW IT WORKS:
1. Open any website
2. Click the extension icon
3. Hit "Scan This Page" — get an instant letter grade (A+ to F)
4. Expand any header for a deep dive: what attack it prevents, a real-world breach example, and a ready-to-paste fix snippet for Nginx, Apache, Express, or Cloudflare

WHAT'S NEW IN v1.3.0:

CSP Evaluator Tightened — Either 'unsafe-inline' OR 'unsafe-eval' alone now correctly flags as weak (previously required both keywords to appear). Aligns with Mozilla Observatory and securityheaders.com baselines. Most sites with React/Vue/Tailwind defaults will see a more accurate CSP score.

Referrer-Policy Bug Fix — Permissive values like 'origin' and 'no-referrer-when-downgrade' now correctly show as weak. Previously these were incorrectly marked as good, hiding real referrer-leakage risk.

Permissions-Policy Parser — Replaced the length-based heuristic with a real parser. Wildcard directives like 'camera=*' now correctly flag as weak. Strict policies like 'camera=()' correctly show as good.

58-Test Regression Suite — Every evaluator now has unit tests so future updates can't silently break what's working.

Some sites may see grade adjustments — these are corrections to previously-misreported scores, not changes in your security posture.

CORE FEATURES:
- Checks 10 critical HTTP security headers
- Instant letter grade with color-coded results
- Expandable per-header detail with attack examples and real-world breach references
- Per-framework fix snippets (Nginx, Apache, Express, Cloudflare)
- Critical / Important / Optional severity classification
- Batch-scan any number of URLs with CSV export
- Side-by-side site compare
- Share report as PNG image
- Scan history (last 50 scans)
- Extension badge shows the letter grade at a glance
- 100% local — no data leaves your browser

HEADERS CHECKED:
- Content-Security-Policy (XSS, injection, clickjacking)
- Strict-Transport-Security (protocol downgrade attacks)
- X-Frame-Options (clickjacking)
- X-Content-Type-Options (MIME sniffing)
- Referrer-Policy (referrer leakage)
- Permissions-Policy (unauthorized feature access)
- Cross-Origin-Opener-Policy (cross-origin isolation)
- Cross-Origin-Resource-Policy (resource read protection)
- Cross-Origin-Embedder-Policy (Spectre-class defenses)
- X-XSS-Protection (legacy, deprecated)

WHO IT'S FOR:
- Web developers auditing their own sites
- Security engineers doing quick header reviews
- DevOps teams comparing staging and production
- Anyone learning what each security header actually does

PRIVACY FIRST:
- All scans happen locally in your browser
- No data is ever sent to external servers
- No accounts, no sign-ups, no tracking
- History is stored locally and can be cleared any time

FREE TO USE:
Security Headers is completely free with no hidden costs and no ads.