HTTP header checker

The six security headers

Strict-Transport-Security (HSTS)

Tells browsers to only ever use HTTPS for the site, closing the brief window where a first plain-HTTP request could be intercepted.

Content-Security-Policy (CSP)

Whitelists where scripts, styles and other resources may load from. The single most effective defence against cross-site scripting — and the hardest to get right.

X-Content-Type-Options: nosniff

Stops the browser from second-guessing a file's declared type, which can otherwise turn an upload into an executable script.

X-Frame-Options / CSP frame-ancestors

Stops other sites from embedding yours in an iframe to trick users into clicking (clickjacking).

Referrer-Policy

Limits how much of the current URL is sent to other sites when a user clicks a link — keeps query strings and paths from leaking.

Permissions-Policy

Switches off browser features you don't use — camera, microphone, geolocation — so a compromised script can't reach them.

What the grade means

The grade is simply how many of the six headers are present (A = all six, F = two or fewer). It's a quick prompt, not an audit — a header being present doesn't mean its value is strong. A weak Content-Security-Policy still counts as present here, so treat a good grade as "nothing obviously missing", then review the actual values.

A note on what you're seeing

Headers are fetched from our server, not your browser, so what you see is what a server-side client receives. Some sites vary headers by user-agent or geography, and a few bot-protected endpoints answer automated clients differently than a browser. If a result looks off, compare it with your browser's network panel.