Diagnostic suite · live

Security Headers Grader

Fetch any URL and grade its HTTP security headers A–F, with per-header analysis and remediation notes.

About the Security Headers Grader

The Security Headers Grader fetches any URL and grades the response's HTTP security headers on an A+ to F scale. It's the fastest way to answer a question every developer, SRE, and security engineer eventually asks: 'is this site's HTTPS configuration actually hardened, or are we just relying on TLS to save us?' The grade rolls up individual per-header scores for HSTS, Content-Security-Policy, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, and Cross-Origin-Embedder-Policy.

Each header check reports whether it is present, how it is configured, and a human-readable note explaining what a browser will do with the current value. We also surface disclosure headers (Server, X-Powered-By) and cookie count, because leaking your web-server version or framework fingerprint is a small but real recon gift to attackers. The report is dense enough for a security review yet friendly enough to hand to a developer with no security background.

Use the grader as part of a launch checklist, before a penetration test, when migrating a site behind a new CDN or WAF, or to prove regression when a header goes missing. It complements our CSP Evaluator (which dives deep into a single Content-Security-Policy value) and our SSL Checker (which grades the TLS layer beneath the headers).

How to use this tool

  1. 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
  2. 2Click the action button to run the check — results are computed instantly from our edge network.
  3. 3Review the parsed output, key fields and any warnings shown in the result card.
  4. 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.

Key features

  • A+ to F grade with per-header scoring breakdown
  • Covers HSTS, CSP, XFO, XCTO, Referrer-Policy, Permissions-Policy, COOP/CORP/COEP
  • Notes explain the browser's actual behavior for each value
  • Flags Server / X-Powered-By disclosure
  • Follows redirects so you grade the real final URL
Related searches: security headers scan · hsts checker · csp checker · x-frame-options tester · https security grader · securityheaders.com alternative

Frequently asked questions

Strict-Transport-Security (HSTS), Content-Security-Policy, X-Frame-Options (or CSP frame-ancestors), X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, and Cross-Origin-Embedder-Policy.