Security Headers Checker

Grade any site's HTTP response security headers, with a concrete fix for every miss.

Our server fetches the URL once and reads its response headers. Nothing is stored. Only check sites you're authorized to assess.

How it works

We send a single GET request to the URL and evaluate seven response headers that control browser security behavior: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options (or CSP frame-ancestors), Referrer-Policy, Permissions-Policy, and version leakage in Server. Each check is weighted; the grade reflects observed headers only. Full scoring detail on the methodology page.

FAQ

Why do security headers matter?

They're the cheapest hardening you can ship: HSTS stops protocol-downgrade attacks, CSP blunts XSS, frame protection kills clickjacking, and nosniff stops MIME confusion — each is one line of server config.

Is a grade of A a guarantee the site is secure?

No. Headers are one layer. A site can have perfect headers and still be vulnerable elsewhere — this tool measures exactly one thing and says so.

Which header should I fix first?

HSTS and X-Content-Type-Options are near-zero-risk one-liners; do those today. CSP has the biggest payoff but needs testing — roll it out in report-only mode first.

From the channel

Video thumbnail: Researcher Says Grok Build Uploaded Full Git History Researcher Says Grok Build Uploaded Full Git History Watch on The Exploit HQ — cyber threat intel in 60 seconds ▸