Part of the security audit tool stack. See the pillar post for the full catalog of sibling audits and where this one fits in the lineup.
Search engines crawl. AI engines verify. Both increasingly weight your security headers as evidence that you take publishing seriously. We built a tool that scores yours and emits the missing _headers block ready to paste.
What it does
Scores HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-* + cookie flags. Emits a paste-ready config block in the format your host speaks, pick a tab for Netlify, Cloudflare Pages, Cloudflare Workers, Vercel, nginx, Apache, Caddy, AWS CloudFront, DigitalOcean App Platform, or an Express middleware snippet. Same canonical header set across every tab, rendered in each platform's native syntax.
Multi-host output — pick your platform
One audit, nine output formats. The header values are identical across every tab; what changes is the syntax:
- Netlify and Cloudflare Pages, both use the
_headersfile format. Save at your publish directory root. - Cloudflare Workers, a JS fetch handler that wraps outgoing responses and adds the headers at the edge. Deploy with
wrangler deploy. - Vercel, a
vercel.jsonheaders array that merges into your existing config. - nginx —
add_headerdirectives for inside yourserver { }block. - Apache —
Header always setdirectives for.htaccess. - Caddy, the native
headerdirective for a Caddyfile. Pairs well with Caddy's automatic TLS, see the Caddy server writeup. - AWS CloudFront, a
ResponseHeadersPolicyJSON blob you can pipe intoaws cloudfront create-response-headers-policy. - DigitalOcean App Platform, an
app.yamlstatic-site header block. Apply viadoctl apps update $APP_ID --spec app.yaml. - Express, a Node middleware snippet for custom backends.
If your host isn't on that list, the AI fix prompt includes "[pick your host]" as a placeholder so the model tailors the config to whatever you tell it.
How to use it
- Open /tools/security-headers-audit/ in your browser.
- Enter the URL or domain you want to audit (or paste the inputs the tool requests for that specific check).
- Run the audit and review the per-check results inline.
- Copy the AI fix prompt from the bottom of the results and paste it into Claude / ChatGPT / Codex, the tool generates a domain-aware prompt that names every issue found.
- Apply the fixes to your source tree and re-run to confirm.
Why this exists
Most professional tools in this category cost $99 to $499 per month, lock results behind logins, or run on slow Chrome backends. The jwatte.com tool suite is built on three principles:
- Free + ungated, no signup, no quota
- Transparent, every check explains what it measures and how
- AI-augmented, every output produces a prompt that turns the audit into a fix in one paste
Companion tools
This tool pairs with the rest of the jwatte.com tools hub. For audits at scale, queue it inside Mega Batch. For deep single-page review, run it alongside Mega Analyzer.
Reference
- /tools/security-headers-audit/, live tool
- /tools/, full tool hub (60+ free tools)
- /about/, about the author + the framework behind these tools
