Free tool · no signup

Security headers checker — grade your site A–F

Enter your website and see, in seconds, which HTTP security headers you send and which you are missing — with the exact line to fix each one. Then a human can look for the bugs headers don't show.

Free · no signup · we read your public response headers, exactly like a browser does. Nothing is attacked or logged into.

What does this tool do? It fetches your website’s HTTP response headers — the instructions your server sends to every visitor’s browser — and checks the six that matter for security: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. You get an A–F grade, a per-header breakdown, and the exact value to add for anything missing. It’s free, needs no signup, and never touches your site beyond one normal request.

What each header protects you from

Security headers are small instructions your server attaches to every page. Each one tells the browser to enforce a protection that stops a specific, common attack. Miss one and that protection simply isn’t there:

  • Strict-Transport-Security (HSTS) — forces every connection over HTTPS. Without it, an attacker on the same network can silently downgrade a visitor to plain HTTP and steal session cookies.
  • Content-Security-Policy (CSP) — the single strongest defense against cross-site scripting (XSS). It controls exactly which scripts and resources may run, so an injected <script> is blocked instead of executed.
  • X-Frame-Options / frame-ancestors — stops your pages being loaded inside a hidden iframe and used for clickjacking, where a visitor thinks they’re clicking your site but are really clicking an attacker’s overlay.
  • X-Content-Type-Options: nosniff — stops the browser from guessing a file’s type, a trick that can turn an innocent-looking upload into an executable script.
  • Referrer-Policy — controls how much of your URL (which can contain tokens or private paths) is leaked to other sites when a visitor clicks an outbound link.
  • Permissions-Policy — switches off powerful browser features you don’t use, like camera, microphone and geolocation, shrinking what a compromised page could abuse.

How to read your grade

We score the six headers by real-world impact — HSTS and CSP carry the most weight because they block the most damaging attacks — and turn the total into a letter grade:

How the header grade maps to your posture
GradeWhat it meansWhat to do
A+ / AEvery core header present and correctly configured.Keep it. Re-check after any server or CDN change.
BSolid, but one or two headers missing or weak.Add the flagged headers — usually a 5-minute change.
C / DSeveral key protections absent.Fix HSTS and CSP first; they carry the most risk.
FLittle or no header hardening in place.Add all of them — and get the rest of your site checked.

A low grade is good news in one sense: security headers are among the fastest, cheapest wins in web security. Most sites go from F to A with a handful of config lines and no code changes.

Headers are the surface — not the whole story

Here is the honest caveat every other header checker leaves out: a perfect header grade does not mean your website is secure. Headers are browser-level hardening. They do nothing about the flaws that actually get small businesses breached — broken access control (users reaching data that isn’t theirs), authentication weaknesses, SQL injection, and logic bugs in your forms, carts and checkout. Those live in your application, not your headers, and only surface when a person reasons about how your site is supposed to work.

That’s the difference between an automated check like this one and a real audit. Use this tool to fix your headers today — it’s worth doing. Then, if your site handles logins, payments or customer data, have a human look for the bugs a scanner can’t. Our Circuit audit is a one-time $49: a full manual review of your site with a written report of every issue found and exactly how to fix it. More on why that matters in manual vs automated penetration testing.

Common questions

What is a security headers checker?
A security headers checker reads the HTTP response headers your website sends to every visitor and tells you which browser-level security protections are present, which are missing, and how to add them. Headers like Strict-Transport-Security, Content-Security-Policy and X-Frame-Options instruct the browser to block whole classes of attack — HTTPS downgrade, cross-site scripting, clickjacking — but they only work if you actually send them. Our free tool fetches your headers the same way a browser does, grades them A–F, and gives you the exact line to add for each gap.
Which HTTP security headers matter most?
The two highest-impact headers are Strict-Transport-Security (HSTS), which forces HTTPS and stops downgrade and cookie-theft attacks, and Content-Security-Policy (CSP), the strongest defense against cross-site scripting. After those come X-Content-Type-Options: nosniff (stops MIME-sniffing), X-Frame-Options or CSP frame-ancestors (stops clickjacking), Referrer-Policy (controls URL leakage) and Permissions-Policy (switches off unused browser features like camera and microphone). Our checker grades all six and shows which you are missing.
Is this security headers test free?
Yes — completely free, no signup, no rate-limited teaser. Enter your domain and you get the full grade and every fix. We build these free tools because they are genuinely useful and because they introduce small businesses to what we do: a real human security audit of your whole site for a one-time $49.
Does a good header grade mean my website is secure?
No — and this is the most important thing to understand. Security headers are the surface. They are quick to check and quick to fix, which is exactly why they make a good free tool. But the vulnerabilities that actually get small websites hacked — broken access control, authentication weaknesses, SQL injection, business-logic bugs in your forms and checkout — do not show up in your headers at all. An A+ header grade with a broken login is still a hacked website waiting to happen. That deeper testing is what a human engineer does in our $49 manual audit.
How do I add security headers to my website?
It depends on your stack. On Nginx you add them with add_header directives in your server block; on Apache with Header set lines in .htaccess or the vhost; behind Cloudflare you can add them as Transform Rules; in Next.js via the headers() function in next.config; in WordPress via a security plugin or your theme functions. Our tool gives you the exact header value to use — you paste it into whichever of those applies to you. Start Content-Security-Policy in report-only mode so you can watch for breakage before enforcing it.
Will running this check affect my website?
No. The check is passive: it makes one ordinary GET request to your homepage and reads the response headers, exactly like a browser or search engine would. Nothing is attacked, nothing is logged into, and your site will not notice. It is safe to run on any site you want to inspect.

Keep reading

Fixed your headers? Now check the rest.

A human security engineer audits your whole site by hand — access control, auth, logic bugs — and sends a full report from $49.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →