Spectra scans any website and shows you which HTTP security headers are missing, what risks they create, and the exact config to fix them. Works right from your browser, in seconds.
No account needed. Free to install.
All analysis runs locally in your browser. Nothing leaves your device.
Get an instant A to F grade based on which headers are present and how they are configured. Know where a site stands at a glance.
Checks 9 security headers including CSP, HSTS, X-Frame-Options, and Permissions-Policy. Missing headers are sorted by severity so you know what to fix first.
For every missing header, Spectra gives you copy-paste config for Nginx, Apache, Express, and Next.js. No Googling required.
Breaks down Content Security Policy directives and flags unsafe sources, missing policies, and known bypass patterns. Shows exactly which directive has the issue.
Flags response headers that reveal server software and version numbers, like Server and X-Powered-By. Small detail, real attack surface.
Checks whether the domain is hardcoded into Chrome as HTTPS-only via the HSTS preload list. Shows Preloaded, Pending, or Not listed.
Inspect every cookie for HttpOnly, Secure, and SameSite flags. Issues are listed per cookie so you can see exactly what needs fixing.
Detects wildcard origins, credential mismatches, and header misconfigurations in cross-origin policy. Each finding includes severity and a plain-English explanation.
Scan up to 30 domains at once in parallel. Results load as they come in. Export the whole run as a PDF report to share with your team.
Free for most things. Pay once for the rest. No subscriptions ever.
No account needed
Pay once, use forever