How to Audit Website Security Headers with Curl

Quick tip: check your security headers with curl

Ben Greenberg outlines a streamlined method for verifying critical web security headers via the command line. A single curl operation can determine if a site is missing essential protections like HSTS, which forces HTTPS on all future visits.

Why This Matters

Technical reality often deviates from secure-by-default models when headers are not explicitly configured at the load balancer or application level. Without headers like X-Frame-Options or Content-Security-Policy, web applications remain susceptible to clickjacking and script injection, making manual or automated verification a prerequisite for production readiness.

Key Insights

• HSTS is identified as the most important security header to add first for enforcing HTTPS (Greenberg, 2026).
• Filtering headers using grep -i allows developers to isolate x-frame, content-security, and strict-transport-security from standard response bodies.
• Hummus on Rails Audit tool provides users with a comprehensive breakdown of security vulnerabilities beyond simple header checks.

Working Examples

Command to filter and display specific security headers from a URL.

curl -I https://yoursite.com | grep -i 'x-frame\|content-security\|strict-transport\|x-content-type'

Practical Applications

• Use case: Production site verification using curl -I to ensure security headers are active and correctly configured.
• Pitfall: Receiving zero output from a header grep command, indicating a complete absence of fundamental security headers.

References:

• https://dev.to/bengreenberg/quick-tip-check-your-security-headers-with-curl-1n94
• https://audit.hummusonrails.com/free