Security Headers Grader
Grade your HTTP security headers - HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and more. Get a letter score and remediation steps. Free and instant.
What it checks
Every header that matters for browser-side defense.
One request, one grade - covering transport, content policy, framing, and modern isolation primitives.
Strict-Transport-Security (HSTS)
Confirms HSTS is set, checks the max-age value (one year minimum for serious deployments), and flags whether includeSubDomains and preload are enabled.
Content-Security-Policy (CSP)
Parses your CSP, looks for unsafe-inline and unsafe-eval, and flags overly permissive script-src or missing object-src directives.
X-Frame-Options / frame-ancestors
Checks whether the page can be embedded in an iframe. A missing or weak setting opens the door to clickjacking.
X-Content-Type-Options
Verifies nosniff is set, which stops browsers from MIME-sniffing responses and reinterpreting your assets as a different content type.
Referrer-Policy
Inspects the referrer policy to make sure you're not leaking full URLs (with query strings and tokens) to third-party domains.
Permissions-Policy & COOP/COEP
Reads the modern Permissions-Policy header and the cross-origin isolation headers (COOP, COEP) that gate access to powerful browser APIs.
How it works
From URL to letter grade in about a second.
Paste, run, read - then ship the fixes.
Paste your URL
Enter a full URL, scheme included. The grader follows redirects to the final destination and reads the response headers there.
We score each header
Every relevant security header is checked against modern best-practice values and weighted by its real-world impact.
Get a letter grade
You'll see an A-to-F score, the headers that helped or hurt, and exactly how to fix every issue.
Why this matters
Security headers are your free, no-deploy defense layer.
They cost nothing to add and block entire classes of attacks at the browser level.
XSS defense
A strict Content-Security-Policy is the single most effective defense against cross-site scripting. Even when an attacker finds an injection point, CSP can stop the payload from executing.
Clickjacking
Without X-Frame-Options or CSP's frame-ancestors, an attacker can embed your site in an invisible iframe and trick users into clicking buttons they can't see - including logout, transfer, and confirm.
Compliance
Security headers are a baseline expectation in SOC 2, ISO 27001, and PCI-DSS audits. A clean grade is a clean conversation with your auditor; a missing HSTS is a remediation item with a deadline.
Reference
Each security header, one line of guidance.
The short version of what to set and why.
Strict-Transport-Security
Forces HTTPS for your domain. Set max-age to at least 31536000 (one year) and add includeSubDomains and preload once you're sure every subdomain is HTTPS-ready.
Content-Security-Policy
Whitelists which scripts, styles, and resources can run on the page. Strongest single defense against XSS. Avoid unsafe-inline; prefer nonces or hashes.
X-Frame-Options
Use DENY or SAMEORIGIN to prevent your pages from being framed by attackers. Modern alternative: CSP's frame-ancestors directive.
X-Content-Type-Options
Set to nosniff. Stops browsers from interpreting a file as a different MIME type than declared - a classic vector for stored-XSS.
Referrer-Policy
strict-origin-when-cross-origin is a safe default. no-referrer is the strictest. Avoid unsafe-url, which leaks the full URL (including query strings) to third parties.
Permissions-Policy
Declares which browser features (camera, microphone, geolocation, payment) your site uses. Disable everything you don't need to reduce attack surface.
FAQ
Frequently asked questions.
Quick answers about the grade and how to improve it.
How is the grade calculated?
Each header contributes points based on whether it's present and how strict the configuration is. HSTS, CSP, and X-Frame-Options carry the most weight because they block the largest attack classes. Missing or weak headers subtract from the total.
Why did I get an F when my site is on HTTPS?
HTTPS protects data in transit, but the headers we grade are a different layer - they tell the browser how to defend against XSS, clickjacking, MIME-sniffing, and referrer leakage. A site on HTTPS with no security headers is encrypted but still exploitable.
Is unsafe-inline really that bad in CSP?
Yes. unsafe-inline lets any injected script run, which defeats the entire point of CSP as an XSS defense. Use nonces or hashes for the inline scripts you actually need, and remove the directive.
How accurate is this grader?
It reads your real response headers from the edge and grades against the same rules Mozilla Observatory and modern security guides use. If a header is wrong here, it's wrong for your users too.
How often should I check?
On every deploy, especially after CDN or middleware changes. Header configs drift quietly - a Cloudflare rule edit or a Next.js middleware refactor can silently strip a header.
Can SiteTrak watch my security headers continuously?
Yes. SiteTrak monitors your security headers on a schedule and alerts the moment a header weakens, disappears, or changes value - the kind of regression nobody notices until it shows up in an audit.
Keep going
Other free tools you'll like.
Run one once, or set up SiteTrak and never run them again.
HTTP Header Inspector
Inspect every response header, redirect, cache directive, and CDN signature for any URL.
SSL / TLS Checker
Inspect the certificate, expiry, issuer, and TLS version for any domain.
CORS Checker
Test cross-origin request headers, preflight, and credentials policy for any URL.
Redirect Checker
Trace every hop in a redirect chain, with status codes and final destination.