Search engines crawl. AI engines verify. Both increasingly weight your security headers as evidence that you take publishing seriously. We built a tool that scores yours and emits the missing _headers block ready to paste.
What it does
Scores HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-* + cookie flags. Emits paste-ready Netlify _headers block for any gaps.
How to use it
- Open /tools/security-headers-audit/ in your browser.
- Enter the URL or domain you want to audit (or paste the inputs the tool requests for that specific check).
- Run the audit and review the per-check results inline.
- Copy the AI fix prompt from the bottom of the results and paste it into Claude / ChatGPT / Codex — the tool generates a domain-aware prompt that names every issue found.
- Apply the fixes to your source tree and re-run to confirm.
Why this exists
Most professional tools in this category cost $99 to $499 per month, lock results behind logins, or run on slow Chrome backends. The jwatte.com tool suite is built on three principles:
- Free + ungated — no signup, no quota
- Transparent — every check explains what it measures and how
- AI-augmented — every output produces a prompt that turns the audit into a fix in one paste
Companion tools
This tool pairs with the rest of the jwatte.com tools hub. For audits at scale, queue it inside Mega Batch. For deep single-page review, run it alongside Mega Analyzer.
Reference
- /tools/security-headers-audit/ — live tool
- /tools/ — full tool hub (60+ free tools)
- /about/ — about the author + the framework behind these tools