Security Headers Grader
Paste response headers from curl -I — or fetch a live URL through our own relay — and get an OWASP-aligned letter grade with the exact directive each check earned, and the one-line fix for every miss.
The OWASP secure-headers baseline
| Header | What it defends | Recommended value |
|---|---|---|
| Strict-Transport-Security | Forces every future visit over HTTPS — kills protocol-downgrade attacks. | max-age=63072000; includeSubDomains; preload |
| Content-Security-Policy | Whitelists what can execute — the strongest XSS containment a site can ship. | default-src 'self'; script-src 'nonce-…'; object-src 'none'; base-uri 'self'; frame-ancestors 'self' |
| X-Content-Type-Options | Stops browsers MIME-sniffing responses into executable types. | nosniff |
| Frame ancestors / X-Frame-Options | Prevents your pages being framed for clickjacking overlays. | frame-ancestors 'self' (CSP) or X-Frame-Options: DENY |
| Referrer-Policy | Controls how much of the current URL leaks to other origins. | strict-origin-when-cross-origin |
| Permissions-Policy | Declares which powerful APIs (camera, mic, geolocation) the page may use. | geolocation=(), camera=(), microphone=() |
| COOP / COEP / CORP | Cross-origin isolation trio — unlocks SharedArrayBuffer, blocks cross-site leaks. | same-origin / require-corp / same-origin |
| Set-Cookie flags | Keeps session cookies off the wire and out of scripts. | Secure; HttpOnly; SameSite=Lax |
Why headers are the cheapest security you'll ever ship
Security headers are one-line server configs that close entire attack classes. HSTS eliminates protocol-downgrade and cookie-stripping attacks after the first visit. A real Content-Security-Policy turns most cross-site-scripting payloads into console errors instead of account takeovers. nosniff stops a mis-typed upload from executing as script. Compared to almost anything else on a security backlog, the effort-to-protection ratio here is absurd — which is exactly why audits and penetration tests check them first.
The grading in this tool follows the OWASP Secure Headers Project baseline, weighted by real-world impact: HSTS and CSP carry the most points, the cross-origin isolation trio is scored gently because it is context-dependent, and deprecated headers like X-XSS-Protection actually cost you notes rather than earning points — modern browsers ignore them, and the legacy XSS auditor they controlled introduced vulnerabilities of its own. Every verdict cites the exact directive that earned it, so nothing here is a black box.
The most common real-world miss is a CSP that exists but doesn't contain anything: script-src with 'unsafe-inline' and a pile of wildcards is barely better than no policy. The modern pattern is a strict CSP — nonces or hashes plus 'strict-dynamic' — with object-src 'none', base-uri 'self' and frame-ancestors declared. Roll it out in Report-Only mode first (this grader detects and labels that), watch the reports, then enforce.
Headers also intersect with SEO: HTTPS is a ranking signal, and page-experience quality includes not being flagged by the browser. Run the full picture with SEO Audit Pro — it embeds this exact grader as its security category — then fix crawl directives in the Robots.txt Studio and markup in the Meta Tags Studio.
Trusted for Hardening Reviews
“The directive-level CSP linting is what sets this apart — it caught 'unsafe-inline' hiding behind a nonce'd policy on one of our apps. Grades match what our pentest reports flag, and the copy-fix snippets go straight into the nginx config PR.”
“We gate releases on an A grade now. Paste mode means staging sites behind VPN can be checked without exposing anything, and the deprecated-header notes finally got X-XSS-Protection removed from our ancient Apache configs.”
“Went from F to A in one afternoon following the fix lines. The explanation of why SameSite=None without Secure is rejected saved me a genuinely confusing debugging session with an embedded widget.”
“Solid OWASP alignment and the point weighting is sensible — HSTS and CSP dominate as they should. I'd love SRI checking of script tags in the same view someday, but for header work this is now my first-stop tool with clients.”
Love using our calculator?
More of SEO Forge
Similar Calculators
More tools in the same category
SEO Audit Pro
Paste HTML or fetch a live URL and get a unified 85-check audit — on-page, technical, content, links, images, structured data and security — with weighted scores, a fix-first list and JSON/CSV/Markdown export.
SERP & Social Preview
Pixel-accurate Google SERP preview (desktop + mobile, canvas-measured Arial with query bolding) plus Facebook, X, LinkedIn, WhatsApp and Discord card mockups.
Meta Tags Studio
Build a complete, correct <head>: title and description with live character + pixel meters, canonical, robots directives, Open Graph and Twitter cards — copy one clean block.
Keyword Density & N-Grams
Exact keyword density, a placement matrix (title, H1, first 100 words, URL, alts), keyword proximity, 1–4-gram tables and top-word analysis — computed, not guessed.
Readability Scorer
All seven readability formulas — Flesch, Flesch–Kincaid, Gunning Fog, SMOG, Coleman–Liau, ARI, Dale–Chall — computed from first principles with per-sentence highlighting.
Robots.txt Studio
Generate robots.txt with AI-crawler policy presets (GPTBot, ClaudeBot, CCBot…) and test any URL against any file with RFC 9309 longest-match semantics — winning line highlighted.
Often Used Together
Complementary tools for complete analysis
Related Articles
Dive deeper with our expert guides and tutorials related to Security Headers Grader
OWASP baseline · HSTS · CSP · nosniff · frame-ancestors · Referrer-Policy · Permissions-Policy · cookies · paste or first-party fetch · Last reviewed: 2026-07