Headers, CSP, HSTS, CORS, cookies, clickjacking
Analyze HTTP response headers and check security headers like CSP, HSTS, X-Frame-Options.
Check Strict-Transport-Security header. Verify max-age, includeSubDomains, preload.
Check Content-Security-Policy. Parse directives, detect unsafe-inline, unsafe-eval.
Check Access-Control-* headers. Verify Allow-Origin, credentials, methods.
Parse Set-Cookie headers. Check HttpOnly, Secure, SameSite.
Find HTTP resources on HTTPS pages. Paste HTML, scan scripts, images, styles.
Check X-Frame-Options and CSP frame-ancestors. Detect clickjacking vulnerability.
Analyze URL for open redirect risks. Check redirect params.
Check if URL exposes directory listing. Index of, file list.
Fetch, parse, and validate robots.txt. Check which bots are allowed, view sitemaps, test URL paths.
Detect what technologies power a website — CMS, frameworks, CDN, analytics from headers and HTML.
Detect Cloudflare, Akamai, AWS WAF, Sucuri, Fastly. Passive header analysis — no attack payloads.
Follow 301/302/307/308 redirects. See every hop with status and latency. SEO & security.
Check Referrer-Policy header. Control referrer info. Privacy & security. Like Barrion.
Get A+ to F grade for HTTP security headers. Like SecurityHeaders.com.
Check Permissions-Policy header. Restrict geolocation, camera, microphone.
Check if site redirects HTTP to HTTPS. Redirect chain. HSTS preload requirement.
Detect Server, X-Powered-By headers leaking tech versions. Barrion competitor.
Check X-Content-Type-Options: nosniff. Prevent MIME sniffing.