Web security

How to review security headers, CSP, and HSTS

A rollout workflow for understanding which layer sets each header, testing real browser behavior, and avoiding lockouts or false confidence.

Security headers add browser-side controls, but a present header can still be ineffective, contradictory, or limited to only some responses. Test the policy and the delivery path together.

Start with the final public response

Check the application, reverse proxy, CDN, errors, redirects, and authenticated pages. Identify which layer owns each header so later deployments do not overwrite it.

Roll out CSP and HSTS carefully

Use CSP report-only to collect violations before enforcement, then remove unsafe sources deliberately. Enable HSTS only after every required subdomain works over HTTPS and understand includeSubDomains and preload.

Verify behavior, not only presence

Test framing, MIME sniffing, referrer leakage, feature permissions, inline scripts, third-party integrations, and browser console reports on representative pages.

Security header review checklist

  • Inspect final responses across status codes
  • Assign ownership for every header
  • Test CSP in report-only before enforcement
  • Confirm all HSTS hosts support HTTPS
  • Retest browser behavior after deployment

Related guides

Learn the workflow behind this tool and what to check next.

Related tools