Enter any public website and get an A-to-F grade for its HTTP security headers, with a plain-language explanation and fix for every gap. The URL you enter is processed by our server to perform the check and is not stored.
We fetch the target's response headers from our server, following up to three redirects, and grade the results. Only headers are retrieved. Page content is never stored.
Security headers are one thin layer. Our Certified Information Systems Auditors test your applications, network, people, and monitoring end to end, then deliver a risk-rated report you can act on.
HTTP security headers are directives a web server sends with each response that tell the browser how to behave more securely. They enforce HTTPS, block clickjacking, restrict where scripts can load from, and limit what information leaks to other sites. Missing headers are one of the most common and easily fixed web security weaknesses.
It grades Strict-Transport-Security (HSTS), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. It also flags information-leaking headers such as Server and X-Powered-By that reveal software versions to attackers.
Each header carries a weight based on the protection it provides, with Content-Security-Policy and HSTS weighted most heavily. The tool fetches the target's response headers, scores each one, and converts the total out of 100 into a letter grade from A to F, along with specific remediation guidance for every gap.
No. The URL you enter is processed by our server only to fetch the target's response headers, and it is not stored. Only response headers are retrieved; the page content is never proxied or saved.
No. Security headers are an important baseline, but they are only one layer. A comprehensive cybersecurity audit also evaluates your application logic, authentication, infrastructure, and monitoring. Use this tool as a quick check, then engage a professional audit for full assurance.