Build a Security Header Scanner in 50 Lines of Bash

Build a Security Header Scanner in 50 Lines of Bash You don't need Node.js, Python, or a framework to audit a website's security headers. All you need is curl and bash — tools already on every Unix system. Here's how to build a real, useful security header scanner in about 50 lines. Why Security Headers Matter Before we write a single line, the quick version: Content-Security-Policy (CSP) — tells the browser which scripts/styles are allowed. Missing = XSS amplification. Strict-Transport-Security (HSTS) — forces HTTPS. Missing = MITM risk. X-Frame-Options — blocks clickjacking. Missing = your login page can be embedded in an iframe. X-Content-Type-Options — stops MIME sniffing. Missing = content injection risk. Referrer-Policy — controls what gets sent in Referer headers. Missing = data leakage. Permissions-Policy — controls browser features (camera, mic, GPS). Missing = fingerprinting risk. Security scanners check for these. Let's build one. The Script #!/usr/bin/env bash # check-heade