Research and Development

HeaderCheck is a python script used to check the security settings of various headers returned by web servers.

The following headers are checked:

  • X-XSS-Protection
  • X-Content-Type-Options
  • X-Frame-Options
  • Cache-Control
  • Content-Security-Policy
  • WebKit-X-CSP
  • X-Content-Security-Policy
  • Strict-Transport-Security
  • Access-Control-Allow-Origin
  • Origin

Each header is assessed based on good practice settings as well as displayed for manual checking.


HeaderCheck is a stand alone python script, as such just decompress the download and move the script to the desired location.


HeaderCheck can be run in the following form.

$ python [targeturl] [subdirectory]

For example:

$ python /
$ python /news

Please note the space between the domain and the sub directory.

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)