Security Headers Checker
Grade any site's HTTP response security headers, with a concrete fix for every miss.
Our server fetches the URL once and reads its response headers. Nothing is stored. Only check sites you're authorized to assess.
How it works
We send a single GET request to the URL and evaluate seven response headers that control browser
security behavior: Strict-Transport-Security, Content-Security-Policy,
X-Content-Type-Options, X-Frame-Options (or CSP frame-ancestors),
Referrer-Policy, Permissions-Policy, and version leakage in Server.
Each check is weighted; the grade reflects observed headers only. Full scoring detail on the
methodology page.
FAQ
Why do security headers matter?
They're the cheapest hardening you can ship: HSTS stops protocol-downgrade attacks, CSP blunts XSS,
frame protection kills clickjacking, and nosniff stops MIME confusion — each is one line
of server config.
Is a grade of A a guarantee the site is secure?
No. Headers are one layer. A site can have perfect headers and still be vulnerable elsewhere — this tool measures exactly one thing and says so.
Which header should I fix first?
HSTS and X-Content-Type-Options are near-zero-risk one-liners; do those today.
CSP has the biggest payoff but needs testing — roll it out in report-only mode first.