About HeaderLab

The tools focus on web security headers — checking what you have, building what you need, and auditing what's deployed. Everything runs in your browser.

What HeaderLab stands for

Privacy first

No accounts, no tracking, no stored URLs. The site uses cookieless, aggregate-only analytics. Read the full privacy policy.

Honest scoring

HeaderLab doesn't scan its own domain — there's no self-interest involved. The scoring rigorously applies industry standards, because real security requires nuance. A site can have a CSP and still be wide open; we tell you that. Read the full scoring methodology.

Open source

HeaderLab's analysis engines are open source on GitHub. The detection logic and scoring rules are public — audit them, fork them, send a pull request. The security checks aren't black boxes.

Want to help?

HeaderLab is open source, and contributions make it better. If you care about web security and want to support it:

• Star the repo on GitHub — visibility matters
• Open issues — share ideas, suggest improvements, request new tools
• Send pull requests — new tools, refined detection logic, documentation, translations
• Share with a friend — the most useful security tool is one developers actually know about

Or just say hi: hello@headerlab.dev

— Kadir, maintainer of HeaderLab