Security Headers
Grade a site on HSTS, CSP, X-Frame-Options and other security headers.
Frequently asked questions
Which security headers are checked?
Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-Policy — the headers that most affect a site's security posture.
What do the A to F grades mean?
The grade is a weighted score of which recommended security headers are present. A means nearly all are set correctly; F means most are missing.
Why do security headers matter?
They defend against clickjacking, MIME-sniffing, protocol downgrade and cross-site scripting. Adding them is one of the cheapest ways to harden a website.