HTTP Security Headers Checker

Enter any website URL and get an instant A+ to F grade for its HTTP security headers. We fetch the live response headers and score the six that matter most - HSTS, Content-Security-Policy, X-Content-Type-Options, clickjacking protection, Referrer-Policy and Permissions-Policy - then show you the exact header to add for anything that is missing or weak.

No scheme? We assume https://. Private, internal and reserved addresses are blocked. Example: https://example.com.

What are HTTP security headers?

HTTP security headers are response headers a web server sends to instruct the browser how to behave more safely - which scripts to run, whether the page may be framed, and whether to stay on HTTPS. They turn defence-in-depth on at the browser level, blocking whole classes of attack (XSS, clickjacking, protocol downgrade, MIME sniffing) without changing your application code.

What is a good security headers grade?

A good grade is A or A+. An A+ means every key header is present and correctly configured: HSTS with a one-year max-age, a Content-Security-Policy without unsafe-inline/unsafe-eval, X-Content-Type-Options: nosniff, clickjacking protection, a strict Referrer-Policy and a Permissions-Policy. A, B and C mean progressively more headers are missing or weakened; D and F mean most are absent.

Which headers does this tool grade?

  • Strict-Transport-Security (HSTS) - RFC 6797. Forces browsers onto HTTPS for a set max-age and blocks protocol-downgrade and cookie-hijacking attacks. Aim for max-age=63072000; includeSubDomains; preload.
  • Content-Security-Policy (CSP) - W3C CSP Level 3. Whitelists the sources of scripts, styles and frames the browser may load; the single strongest mitigation for cross-site scripting (XSS). Avoid 'unsafe-inline' and 'unsafe-eval'.
  • X-Content-Type-Options - must be nosniff so the browser does not reinterpret a response as an executable MIME type.
  • X-Frame-Options / frame-ancestors - RFC 7034. Stops other sites from framing yours (clickjacking). SAMEORIGIN or a CSP frame-ancestors directive both satisfy this; frame-ancestors is the modern replacement.
  • Referrer-Policy - W3C Referrer Policy. Controls how much of your URL is leaked in the Referer header. strict-origin-when-cross-origin is a sensible default.
  • Permissions-Policy - W3C Permissions Policy, which replaces the deprecated Feature-Policy. Disables powerful browser features (camera, microphone, geolocation) you do not use.

What does the R grade mean?

R is shown when the URL you entered redirects to a different host. Grading the redirect target's headers under the original address would be misleading, so we report R and ask you to re-scan the final URL directly. This matches the convention used by securityheaders.com (there is no E grade).

How is the grade calculated?

Each header carries a weight by impact: CSP 25, HSTS 20, clickjacking protection 15, Referrer-Policy 15, Permissions-Policy 15 and X-Content-Type-Options 10, for 100 points. A header that is present but weak earns partial credit. A+ is reserved for a clean sheet - every header present and correctly set. Information-disclosure headers (Server, X-Powered-By) are flagged as advisories but do not change the score.

Is this an open proxy?

No. The scanner fetches only the single public URL you type, through an SSRF-safe client that refuses private, internal, loopback and cloud-metadata addresses and revalidates every redirect hop. It reads response headers only - it never returns page content - so it cannot be used to relay arbitrary requests.

Frequently Asked Questions

Do security headers slow down my site?
No. They are a few bytes of response metadata with no measurable performance cost. The browser reads them once per response; there is no extra request, no script execution, and no rendering delay.
Which header should I add first?
Start with the quick wins that cannot break your site: X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN and Referrer-Policy: strict-origin-when-cross-origin. Then enable HSTS once you are confident HTTPS works everywhere, and build a Content-Security-Policy last, since it needs testing against your real assets.
Why did I get an R grade?
Because the URL redirected to a different host (for example http://example.com to https://www.example.com). We do not grade the destination under the original address - copy the final URL shown and scan it directly for an accurate grade.
Is X-Frame-Options still needed if I have a CSP?
If your Content-Security-Policy includes a frame-ancestors directive, that is the modern, preferred protection and this tool counts it as a pass. X-Frame-Options (RFC 7034) remains useful for older browsers that do not honour frame-ancestors, so many sites still send both.
Why does removing the Server header matter?
Headers like Server and X-Powered-By advertise your exact software and version, which helps an attacker match known exploits. Trimming or removing them is a small, free reduction in reconnaissance surface - though it is hardening, not a substitute for patching.
Last reviewed: Reviewed by the

How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.

Related Tools

Explore these related tools to get more insights and complete your analysis:

IP Lookup

Enter any IP address to instantly find its geographic location, ISP, hostname, and organization. Our IP lookup tool provides accurate geolocation data worldw...

DNS Lookup

Check DNS records for any domain instantly. Our free DNS lookup tool queries authoritative nameservers to show A, AAAA, MX, TXT, NS, SOA, and CNAME records.

WHOIS Lookup

Look up WHOIS data for any domain to see registration details, nameservers, registrar information, creation and expiration dates, and contact information.

SSL Certificate Checker

Check any website's SSL/TLS certificate. View expiration date, issuer, certificate chain, supported protocols, and get a security grade with recommendations.

Port Scanner

Scan any host to discover open ports and identify running services. Essential for security audits, firewall testing, and network troubleshooting.