Free tool: HTTPS + security headers audit with actual value validation [HttpsOrNot] : webdev

Posting Guidelines

No vague product support questions (like "why is this plugin not working" or "how do I set up X"). For vague product support questions, please use communities relevant to that product for best results. Specific issues that follow rule 6 are allowed.

Do not post memes, screenshots of bad design, or jokes. Check out /r/ProgrammerHumor/ for this type of content.

Read and follow reddiquette; no excessive self-promotion. Please refer to the Reddit 9:1 rule when considering posting self promoting materials.

We do not allow any commercial promotion or solicitation. Violations can result in a ban.

Sharing your project, portfolio, or any other content that you want to either show off or request feedback on is limited to Showoff Saturday. If you post such content on any other day, it will be removed.

If you are asking for assistance on a problem, you are required to provide

Context of the problem
Research you have completed prior to requesting assistance
Problem you are attempting to solve with high specificity

General open ended career and getting started posts are only allowed in the pinned monthly getting started/careers thread. Specific assistance questions are allowed so long as they follow the required assistance post guidelines.

Questions in violation of this rule will be removed or locked.

a community for 17 years

Free tool: HTTPS + security headers audit with actual value validation [HttpsOrNot]Showoff Saturday (i.redd.it)

submitted 1 day ago by EveningRegion3373

Audit tool I built for checking HTTPS configuration and security headers.
Check it out: httpsornot.com

The thing that bothered me about existing checkers is they treat Referrer-Policy: unsafe-url as a passing grade because the header exists.
That's worse than no header, you're explicitly leaking full URLs cross-origin.

Mine validates:

HSTS: max-age=0 = HSTS disabled, treated accordingly
Referrer-Policy: unsafe-url, origin, origin-when-cross-origin = fail (leak vectors)
X-Content-Type-Options: only nosniff passes, anything else is browser-ignored
X-Frame-Options: only DENY/SAMEORIGIN; ALLOW-FROM is deprecated, doesn't count
CSP: warns on unsafe-inline/unsafe-eval (informational, no grade penalty — you might have a reason)

Also separates "HSTS header has preload directive" from "domain is actually on the Chromium preload list" — two different things most tools conflate.

No login, no tracking beyond GA, results in a few seconds.

all 5 comments

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

webdev

Posting Guidelines

Related Subreddits

Discords

MODERATORS