Scan any site for security headers. Get a grade from A+ to F.
Scan any URL and get a security headers grade from A+ to F. Each header is individually checked against best practices and graded. Missing or misconfigured headers get flagged with specific recommendations.
An A or A+ grade means the site implements all critical security headers correctly. Most well-configured production sites score B or higher. An F typically means most security headers are missing entirely.
Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) have the highest security impact. HSTS prevents protocol downgrade attacks, and CSP mitigates cross-site scripting (XSS). X-Content-Type-Options and X-Frame-Options are also important and easy to implement.
Security headers are set in your web server or CDN configuration. In Nginx, use the add_header directive. In Apache, use the Header set directive. Most CDNs (Cloudflare, Vercel, Netlify) let you configure headers in their dashboard or via config files.
Content-Security-Policy (CSP) is an HTTP header that tells browsers which sources of content (scripts, styles, images, etc.) are allowed to load on your page. It is the most effective browser-side defense against cross-site scripting attacks.
HSTS preloading is not required for a high grade, but it strengthens your HSTS implementation. Preloading adds your domain to browsers' built-in HSTS list, so even the very first visit uses HTTPS. Be cautious: preloading is difficult to undo.