Testing HTTP security headers at scale — free analyzer tool I built - tchncs

I’ve been running security header checks on the top 1000 websites and the results are concerning. Built a tool to make this easy for anyone: https://devtoolkit.dev/headers [https://devtoolkit.dev/headers] It checks for: - Content-Security-Policy (and whether it’s actually restrictive) - Strict-Transport-Security (including preload) - X-Content-Type-Options - X-Frame-Options - Referrer-Policy - Permissions-Policy - X-XSS-Protection (deprecated but still checked) Gives a 0-100 score with specific recommendations for each missing/weak header. Interesting findings: - ~40% of sites I tested are missing CSP entirely - Many sites set HSTS but with short max-age (< 1 year) - X-Frame-Options is still commonly used but CSP frame-ancestors is better - Permissions-Policy adoption is shockingly low No signup, no tracking, no data collection. Just paste a URL and get results. Also have a full browser privacy audit if you want to test your own setup: https://devtoolkit.dev/privacy-audit [https://devtoolkit.dev/privacy-audit] Feedback welcome — especially on what other checks would be useful.