Security headers checker — grade your site A–F
Enter your website and see, in seconds, which HTTP security headers you send and which you are missing — with the exact line to fix each one. Then a human can look for the bugs headers don't show.
Free · no signup · we read your public response headers, exactly like a browser does. Nothing is attacked or logged into.
What each header protects you from
Security headers are small instructions your server attaches to every page. Each one tells the browser to enforce a protection that stops a specific, common attack. Miss one and that protection simply isn’t there:
- Strict-Transport-Security (HSTS) — forces every connection over HTTPS. Without it, an attacker on the same network can silently downgrade a visitor to plain HTTP and steal session cookies.
- Content-Security-Policy (CSP) — the single strongest defense against cross-site scripting (XSS). It controls exactly which scripts and resources may run, so an injected
<script>is blocked instead of executed. - X-Frame-Options / frame-ancestors — stops your pages being loaded inside a hidden iframe and used for clickjacking, where a visitor thinks they’re clicking your site but are really clicking an attacker’s overlay.
- X-Content-Type-Options: nosniff — stops the browser from guessing a file’s type, a trick that can turn an innocent-looking upload into an executable script.
- Referrer-Policy — controls how much of your URL (which can contain tokens or private paths) is leaked to other sites when a visitor clicks an outbound link.
- Permissions-Policy — switches off powerful browser features you don’t use, like camera, microphone and geolocation, shrinking what a compromised page could abuse.
How to read your grade
We score the six headers by real-world impact — HSTS and CSP carry the most weight because they block the most damaging attacks — and turn the total into a letter grade:
| Grade | What it means | What to do |
|---|---|---|
| A+ / A | Every core header present and correctly configured. | Keep it. Re-check after any server or CDN change. |
| B | Solid, but one or two headers missing or weak. | Add the flagged headers — usually a 5-minute change. |
| C / D | Several key protections absent. | Fix HSTS and CSP first; they carry the most risk. |
| F | Little or no header hardening in place. | Add all of them — and get the rest of your site checked. |
A low grade is good news in one sense: security headers are among the fastest, cheapest wins in web security. Most sites go from F to A with a handful of config lines and no code changes.
Headers are the surface — not the whole story
Here is the honest caveat every other header checker leaves out: a perfect header grade does not mean your website is secure. Headers are browser-level hardening. They do nothing about the flaws that actually get small businesses breached — broken access control (users reaching data that isn’t theirs), authentication weaknesses, SQL injection, and logic bugs in your forms, carts and checkout. Those live in your application, not your headers, and only surface when a person reasons about how your site is supposed to work.
That’s the difference between an automated check like this one and a real audit. Use this tool to fix your headers today — it’s worth doing. Then, if your site handles logins, payments or customer data, have a human look for the bugs a scanner can’t. Our Circuit audit is a one-time $49: a full manual review of your site with a written report of every issue found and exactly how to fix it. More on why that matters in manual vs automated penetration testing.
Common questions
What is a security headers checker?
Which HTTP security headers matter most?
Is this security headers test free?
Does a good header grade mean my website is secure?
How do I add security headers to my website?
Will running this check affect my website?
Keep reading
Fixed your headers? Now check the rest.
A human security engineer audits your whole site by hand — access control, auth, logic bugs — and sends a full report from $49.