HTTP Security Headers Auditor
Grade any site's security headers in one command - and get the exact fix for every miss.
The HTTP Security Headers Auditor is a free, single-file command-line tool from Bug Circuit that tells you, in seconds, how well a website is protected by its HTTP response headers - and exactly what to change to improve it. Point it at a site you own or are authorized to test, and it fetches the page like a browser would, follows redirects, and inspects the headers the server returns. There is nothing to install: it is pure Python 3 standard library, so you download one file and run it.
It grades the headers that actually stop attacks - Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the Cross-Origin isolation headers - using a weighted model that gives partial credit for headers that are present but weakened (a CSP with 'unsafe-inline', a short HSTS max-age, a deprecated ALLOW-FROM). It also flags information-disclosure headers like Server and X-Powered-By that hand attackers a fingerprint of your stack. The result is a clean A+-to-F report with per-header PASS/WARN/FAIL status and a remediation block containing the exact header line to add.
Built for real workflows: --json gives you machine-readable output for dashboards and pipelines, and --min-grade returns a non-zero exit code so you can fail a CI build the moment your own site regresses below your bar. It is strictly passive and defensive - one browser-like GET request, no payloads, no exploitation, no evasion - and cross-platform across Windows, macOS, and Linux. Use it on your own assets to keep your header hygiene tight, release after release.
How to use
- Install Python 3.8 or newer (macOS and most Linux distros already have it; Windows users can grab it from python.org).
- Download bugcircuit-headers.py - it is a single file with no dependencies to install.
- Open a terminal in the folder and run: python3 bugcircuit-headers.py https://your-site.com
- Read the letter grade, then work through the Remediation block - each miss shows the exact header line to add.
- Add --json to get machine-readable output, or --min-grade B to fail a CI pipeline when your site drops below a B.
- Re-run after deploying your header changes to confirm the grade improved.
Example commands
python3 bugcircuit-headers.py https://example.com
python3 bugcircuit-headers.py example.com --no-color
python3 bugcircuit-headers.py --json https://example.com > report.json
python3 bugcircuit-headers.py --min-grade B https://staging.mysite.com
python3 bugcircuit-headers.py --insecure https://localhost:8443
python3 bugcircuit-headers.py --timeout 30 --max-redirects 5 https://example.comFree · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
Downloads are free. You’ll sign in to a free store account (any email — takes 10 seconds) so you can re-download any time from your account.
Something not right with your order? Email [email protected] — the same team that runs our security audits makes it right.