Security Headers
Grade a site's HTTP security headers (CSP, HSTS and more).
No results yet
Enter a host above and press Run to start the check.
About the Security Headers
The Security Headers tool fetches a site's HTTP response headers and grades its security posture from A to F based on the presence and quality of headers like Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and X-Content-Type-Options. It explains which protections are missing and why they matter, turning a complex audit into a clear letter grade. Use it to harden your site against clickjacking, XSS, and protocol downgrade attacks.
How to use
- Enter the URL of the site you want to grade.
- Click Scan to fetch and analyze the response headers.
- Review the overall A-to-F grade and per-header findings.
- Add the recommended missing headers to improve your score.
Frequently asked questions
- Which headers affect the grade?
- Key headers include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Missing or weak ones lower the score.
- What does Content-Security-Policy do?
- CSP restricts which sources of scripts, styles, and other content the browser may load, which is a strong defense against cross-site scripting (XSS).
- Why is HSTS important?
- Strict-Transport-Security forces browsers to use HTTPS, preventing downgrade attacks and cookie interception over insecure connections.