Home/HTTP Headers
[ W.2 — SECURITY HEADERS ]

Security headers, graded.

Scan any URL and grade its security headers from A+ to F. Full CSP directive analysis, HSTS preload eligibility, Permissions-Policy breakdown, plus the usual response, redirect chain, and caching fields.

Last reviewed: May 2026

Please enter a valid URL.
// Response
 
Final URL
// Security headers
// Server & caching
All response headers

How the grade is calculated

Each of the six tracked headers is worth a specific number of points:

  • Strict-Transport-Security — 20 points (full credit at max-age ≥ 1 year), plus a 5-point bonus for the includeSubDomains; preload combination that makes the domain eligible for the HSTS preload list.
  • Content-Security-Policy — 20 points if present, minus deductions for 'unsafe-inline' (-5), 'unsafe-eval' (-5), and wildcards in script-src or default-src (-10). A CSP that allows everything is worth less than one carefully scoped.
  • X-Content-Type-Options: nosniff — 15 points.
  • X-Frame-Options or CSP frame-ancestors — 15 points. Either one closes the clickjacking gap; CSP frame-ancestors is the modern preference.
  • Referrer-Policy — 15 points, unless set to unsafe-url.
  • Permissions-Policy — 15 points.

The total maps to a letter: A+ at 95-100 (perfect with the HSTS preload bonus), A at 85-94, B 70-84, C 55-69, D 40-54, F below 40.

What HTTP headers actually are

When a browser fetches a webpage, the server responds with two parts: the body (the HTML, image, JSON — the actual content) and the response headers. Headers carry instructions about how the body should be handled: what type of content it is, how long it can be cached, whether the page should be allowed inside an iframe, what the server is running, where to redirect to. Headers are invisible to most users but they govern almost every interesting behaviour the browser performs.

This tool fetches any URL from a Cloudflare Worker (so your own IP is never exposed to the target site), grades the security headers, and shows the full response: status code, every redirect hop along the way, and every header the server sent back.

Why security headers matter

A handful of response headers tell the browser to enforce specific protections on the page. Missing any one of them isn't catastrophic on its own, but a thoughtful site has them all set:

  • Strict-Transport-Security (HSTS) — forces the browser to use HTTPS for this domain, even when a link uses http://. Defends against downgrade attacks. Submitting to the HSTS preload list extends that protection to first-time visitors who haven't seen the header yet.
  • Content-Security-Policy (CSP) — controls what scripts, styles, and other resources the page is allowed to load. The single strongest defence against cross-site scripting (XSS). The deeper analysis above flags 'unsafe-inline', 'unsafe-eval', and wildcard sources — the three common ways CSPs end up paper-thin.
  • X-Frame-Options — stops other sites from embedding this page in an <iframe>, which prevents clickjacking. CSP's frame-ancestors directive does the same job and is the modern replacement.
  • X-Content-Type-Options: nosniff — tells the browser to trust the server's content type and not "guess" it from the bytes. Defends against certain XSS and content-confusion attacks.
  • Referrer-Policy — controls how much of the current URL is sent in the Referer header on outbound clicks. strict-origin-when-cross-origin is a good default.
  • Permissions-Policy — gates which browser features (camera, microphone, geolocation, and others) the page can use. Less critical for static content; more important for sites that handle sensitive permissions.

HSTS preload — the upgrade for HSTS

Plain HSTS only kicks in after the browser sees the header at least once. That first request is still vulnerable to downgrade. The preload list ships baked into the browser binary — so for any domain on the list, even the very first request is forced to HTTPS. The eligibility check above mirrors the requirements at hstspreload.org: max-age ≥ 1 year, includeSubDomains, and the preload directive. Meeting all three doesn't preload you automatically — you still have to submit at hstspreload.org — but it's the signal that you're ready.

What this tool doesn't do

  • It only fetches with GET. Endpoints that respond differently to HEAD or other methods aren't tested here.
  • It follows up to five redirects then stops, returning a redirect-loop error.
  • It refuses to inspect literal private/loopback IP addresses (10.x, 127.x, 192.168.x, etc.) so the endpoint can't be used as an SSRF probe.
  • It doesn't grade certificates, parse the response body, or run synthetic XSS tests. For TLS specifics, the SSL inspector is the right place.

// Related tools

D.1
DNS Records
Resolve A, AAAA, MX, TXT, CNAME, NS, and SOA in real time.
P.1
VPN & Proxy Check
Detect Tor exit nodes, datacenter ranges, and known proxies.
N.1
IP Lookup
Geolocate any IP address. ISP, ASN, timezone, coordinates.
N.4
CIDR Calculator
Break down any IPv4 or IPv6 CIDR block instantly.