Skip to main

About

One of the biggest struggles in technology today is security, and those who understand security are not cheap. Taking some of that knowledge and making it available to the masses for free helps build a safer community.

Header Inspector was originally called "Secure Header", and was started May 1st, 2019. The goal of the site is to simply analyize HTTP headers, and where applicable, give advice on how they can be improved.

We wanted a dark mode, to create a logo, and a better name. Header Inspector was born November 8th, 2019.

The site is developed by Robert Lerner to add to a header blog series and allow free scanning. Check those out over at Rapid7.

How It Works

Header Inspector:
  1. Normalizes your URL by removing any query string, fragments, authentication (user@site) to get to the bare URL.
  2. Sends a GET request to your site in the following order:
    1. https://yourdomain.tld
    2. https://www.yourdomain.tld
    3. http://yourdomain.tld
    4. http://www.yourdomain.tld
  3. When a working protocol+hostname combination are found, Header Inspector follows any redirects that may exist on the page
  4. When a successful HTTP/1.0 200 OK is received, the headers are then sent to a parser to break them up into individual keys and values
  5. Header Inspector works via a collection of registered modules (such as one for HSTS, one for Cookies, etc). The keys and values are then sent to each module for further processing.
  6. Each module contributes a good, improve, bad or info textual string to give context to the user. It also defines a maximum weight (if all considerations are met), and also outputs the score detected for a site
  7. The front end consumes this data, presents it into a report, and adds a "word" to go along with it, such as "Perfect", "Nice", "Meh" and so on
  8. You take the report, make changes, and rescan!