How to review security headers, CSP, and HSTS
A rollout workflow for understanding which layer sets each header, testing real browser behavior, and avoiding lockouts or false confidence.
Security headers add browser-side controls, but a present header can still be ineffective, contradictory, or limited to only some responses. Test the policy and the delivery path together.
Start with the final public response
Check the application, reverse proxy, CDN, errors, redirects, and authenticated pages. Identify which layer owns each header so later deployments do not overwrite it.
Roll out CSP and HSTS carefully
Use CSP report-only to collect violations before enforcement, then remove unsafe sources deliberately. Enable HSTS only after every required subdomain works over HTTPS and understand includeSubDomains and preload.
Verify behavior, not only presence
Test framing, MIME sniffing, referrer leakage, feature permissions, inline scripts, third-party integrations, and browser console reports on representative pages.
Security header review checklist
- Inspect final responses across status codes
- Assign ownership for every header
- Test CSP in report-only before enforcement
- Confirm all HSTS hosts support HTTPS
- Retest browser behavior after deployment
Related guides
Learn the workflow behind this tool and what to check next.
Domain launch validation checklist
A layered domain launch check that catches DNS, certificate, routing, mail, and SEO mistakes before users find them.
Technical SEO checks before submitting a site
A focused checklist for making sure search engines can discover, crawl, understand, and index important pages.