Security Headers Grader
Fetch any URL and grade its HTTP security headers A–F, with per-header analysis and remediation notes.
About the Security Headers Grader
The Security Headers Grader fetches any URL and grades the response's HTTP security headers on an A+ to F scale. It's the fastest way to answer a question every developer, SRE, and security engineer eventually asks: 'is this site's HTTPS configuration actually hardened, or are we just relying on TLS to save us?' The grade rolls up individual per-header scores for HSTS, Content-Security-Policy, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, and Cross-Origin-Embedder-Policy.
Each header check reports whether it is present, how it is configured, and a human-readable note explaining what a browser will do with the current value. We also surface disclosure headers (Server, X-Powered-By) and cookie count, because leaking your web-server version or framework fingerprint is a small but real recon gift to attackers. The report is dense enough for a security review yet friendly enough to hand to a developer with no security background.
Use the grader as part of a launch checklist, before a penetration test, when migrating a site behind a new CDN or WAF, or to prove regression when a header goes missing. It complements our CSP Evaluator (which dives deep into a single Content-Security-Policy value) and our SSL Checker (which grades the TLS layer beneath the headers).
How to use this tool
- 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
- 2Click the action button to run the check — results are computed instantly from our edge network.
- 3Review the parsed output, key fields and any warnings shown in the result card.
- 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.
Key features
- A+ to F grade with per-header scoring breakdown
- Covers HSTS, CSP, XFO, XCTO, Referrer-Policy, Permissions-Policy, COOP/CORP/COEP
- Notes explain the browser's actual behavior for each value
- Flags Server / X-Powered-By disclosure
- Follows redirects so you grade the real final URL