Check whether a website sends the HTTP security headers that protect users from XSS, clickjacking, and protocol downgrade attacks.
HTTP security headers are the cheapest, highest-leverage defence a website has: a single response header can block clickjacking, force HTTPS for a year, or shut down an entire class of XSS attacks. This scanner fetches any URL, reads the headers your server returns, and grades the result A–F against the modern baseline — HSTS, CSP, X-Frame-Options, COOP, COEP, CORP, Referrer-Policy and Permissions-Policy.
Open the page, enter the input you want to check, and the result appears immediately above — there is nothing to install, no account to create, and no popup to dismiss. Every Toolzer utility is designed to give you the answer on the first screen and let you copy or share it in one click. If the result looks unexpected, run the test a second time: transient network conditions, browser extensions, and corporate proxies can all affect single-shot measurements, and a fresh run usually confirms whether the issue is real or a one-off blip.
Every tool on Toolzer is built to work on desktop and mobile, including the latest versions of Chrome, Edge, Firefox, Safari, and Brave. Results are rendered directly in your browser whenever possible, so the page stays responsive even on slow connections. When a server lookup is required — for example to query public DNS, WHOIS, or geolocation databases — the request is proxied through Toolzer's edge so the third-party service never sees your IP address.
Toolzer is a privacy-first toolbox: the page is served as a static, minified bundle with long-lived cache headers, so repeat visits are essentially free for both you and our servers. Inputs you type — text to format, passwords to generate, URLs to inspect — stay on your device unless an explicit server lookup is required. We do not sell data, we do not run third-party advertising trackers, and we do not require an account to use any tool on the site.
Bookmark this page and pair it with the other utilities listed below; together they cover most of the day-to-day SEO, networking, security, and developer tasks that would otherwise need three or four separate apps. If you spot a result you cannot explain, the FAQ underneath answers the most common questions about how the underlying measurement works and where its limits are.
Any production site should reach at least B. Aiming for A requires a real Content-Security-Policy, which takes deliberate engineering — but it's the single most effective XSS mitigation available.
Yes, on legacy sites. Start in Content-Security-Policy-Report-Only mode, monitor violations, then promote to enforcing once your inline scripts and third parties are inventoried.
It's deprecated and removed from modern browsers. CSP replaces it. Keep your headers tight, not long.
Yes. We grade the final response, so a domain that redirects HTTP → HTTPS is scored on the HTTPS response, which is what matters to users.
No. Every utility on Toolzer is free, anonymous, and works in any modern browser without registration. You will never see a paywall or a forced sign-up flow — the goal is to give you the answer on the first screen and let you move on.
Yes. Whenever the tool can produce an answer entirely in the browser — password generation, JSON formatting, regex testing, hashing, text counting — the data never leaves your device. When a server lookup is unavoidable (DNS, WHOIS, geolocation), the request is proxied through Toolzer's edge so the upstream service never sees your real IP address.
Yes. The interface is fully responsive and works on iOS Safari, Android Chrome, Samsung Internet, and every other up-to-date mobile browser. You can pin the page to your home screen for one-tap access.
Yes. Every Toolzer page has a clean, permanent URL you can bookmark, share, or paste into a ticket. Results are generated client-side on each visit, so the link always shows fresh data instead of a stale screenshot.
