Security Headers

Grade a site on HSTS, CSP, X-Frame-Options and other security headers.

Frequently asked questions

Which security headers are checked?

Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-Policy — the headers that most affect a site's security posture.

What do the A to F grades mean?

The grade is a weighted score of which recommended security headers are present. A means nearly all are set correctly; F means most are missing.

Why do security headers matter?

They defend against clickjacking, MIME-sniffing, protocol downgrade and cross-site scripting. Adding them is one of the cheapest ways to harden a website.