Security Headers
Grade HTTP security headers — CSP, HSTS, X-Frame-Options, and more.
Security headers are HTTP response headers that harden a website against common attacks like XSS, clickjacking, and protocol downgrade. This tool inspects a URL's headers — Content-Security-Policy, HSTS, X-Frame-Options, Referrer-Policy, and more — and grades how well the site is protected, explaining each one. Use it to benchmark and improve your site's defensive posture.
Frequently asked questions
What are security headers?
Response headers that instruct the browser to enforce protections, reducing the impact of XSS, clickjacking, MIME sniffing, and insecure connections.
What is Content-Security-Policy?
CSP restricts which sources of scripts, styles, and other resources a page may load, making cross-site scripting much harder to exploit.
What does HSTS do?
Strict-Transport-Security forces browsers to use HTTPS for a domain, preventing downgrade and cookie-hijacking attacks.
Is a missing header a vulnerability?
Not on its own, but each missing header removes a layer of defence. The grade reflects how many protective layers are in place.
How do I add these headers?
Set them in your web server, CDN, or application config. Start with HSTS, X-Content-Type-Options, and a basic CSP.