Security-header & cookie scanner

Is your site missing its security headers?

Most vibe-coded and rushed deploys ship with no Content-Security-Policy, no HSTS, and cookies anyone can steal. HardenCheck grades your response headers and cookie flags into a plain-English A–F report card — with copy-paste fixes for your platform.

Check a live URL

URL mode reads response headers through a public CORS proxy, which can strip or hide them. If that happens, paste mode always works — and is the most accurate. Only check sites you own or are authorized to test.

Runs in your browser. We don't store your URL, headers, or results. No signup.

What we check

The headers that actually protect users

HardenCheck grades the response headers and cookie flags every site should set — and explains, in plain English, what each one stops and exactly how to add it.

  • Content-Security-Policy

    Your strongest defence against cross-site scripting. We flag missing or 'unsafe-inline' policies.

  • Strict-Transport-Security

    Forces HTTPS so attackers can't downgrade the connection. We check max-age and scope.

  • X-Frame-Options

    Blocks clickjacking by stopping your pages being framed. Also reads CSP frame-ancestors.

  • X-Content-Type-Options

    Stops MIME-sniffing that can turn a file into runnable script. We check for nosniff.

  • Referrer-Policy & Permissions-Policy

    Limit what you leak in the Referer header and switch off camera/mic/geolocation you don't use.

  • Cross-Origin-* headers

    COOP, COEP-adjacent CORP isolation that mitigates Spectre-class and cross-origin leaks.

  • Cookie flags

    Every Set-Cookie is checked for Secure, HttpOnly and SameSite — the flags that keep sessions un-stealable.

  • Info disclosure

    We flag Server and X-Powered-By headers that needlessly advertise your stack to attackers.

How it works

Three steps to a hardened header set

  1. Enter your URL or paste headers

    Drop in a site you own, or paste a raw response block from curl -I or DevTools to skip the network entirely.

  2. Graded in your browser

    Each header and cookie is scored by severity and turned into an A–F report card — all locally, nothing stored.

  3. Copy the exact fix

    Every issue comes with a ready-to-paste snippet for nginx, Apache, Vercel, or Next.js. Paste, deploy, re-check.

The ship-safety suite

Checks before you ship

HardenCheck is part of Copper Bay Labs' ship-safety suite for vibe-coded and indie apps. Run them all before you go live.

  • LeakCheck

    Did you leak a secret in your source code? Paste code, .env, or config and catch hardcoded keys before you commit.

    Scan your source code →

  • ExposureCheck

    Is your live site leaking? Probe the deployed URL for exposed .env, public .git, source maps, and bundled keys.

    Scan your live site →

  • HardenCheck You're here

    Are your security headers set? Grade your CSP, HSTS, frame & cookie protections into an A–F report card.

    This tool

FAQ

Questions, answered

How does it read headers from another site in my browser?

Browsers block one site from reading another's response (the same-origin policy), so URL mode routes the request through a public CORS proxy that fetches your page and hands the headers back to your tab. That proxy is a third party that can see the URL it fetches, and — importantly — proxies often strip or rewrite headers, which can hide or distort the very thing we're grading. When that happens HardenCheck tells you honestly instead of guessing. For a guaranteed-accurate grade, use paste mode.

What's the most accurate way to use it?

Paste mode. Run curl -I https://your-site.com in a terminal, or open your site, press F12, go to the Network tab, click the document request, and copy the Response Headers. Paste that raw block in and HardenCheck grades the real headers your server sends — with no network call at all from this page.

Do you store my URL or headers?

No. Nothing is persisted. Your URL, the fetched or pasted headers, and the resulting grade live only in this tab's memory and disappear the moment you close or reload the page. There's no database, no analytics on your content, and no signup. (In URL mode the public CORS proxy briefly handles your URL to fetch it — see above.)

Is a good grade a guarantee my site is secure?

No. HardenCheck grades HTTP response headers and cookie flags — an important but narrow slice of security. A clean A says your headers are well-configured; it says nothing about your authentication, dependencies, input validation, access controls, or server hardening. Treat it as a fast hardening check, not a full audit. For real assurance, talk to Copper Bay Labs.

Can it monitor my headers over time?

HardenCheck is a one-shot check. Continuous, scheduled monitoring — re-checking your headers on a cadence and alerting you the moment a deploy regresses a protection, with a shareable status page — is the job of PulseGuard, the paid monitoring layer we're building on top of this engine. Want early access for your team? Get in touch →

Monitor your security headers continuously

HardenCheck Pro will re-scan your headers and CSP on a schedule and alert you the moment something weakens — be first to know when it lands.

Join the Pro waitlist Or have Copper Bay harden it for you