Skip to content
OWASP baseline · HSTS · CSP · nosniff · clickjacking · cookies

Security Headers Grader

Paste response headers from curl -I — or fetch a live URL through our own relay — and get an OWASP-aligned letter grade with the exact directive each check earned, and the one-line fix for every miss.

Nothing leaves your browser
Reference

The OWASP secure-headers baseline

HeaderWhat it defendsRecommended value
Strict-Transport-SecurityForces every future visit over HTTPS — kills protocol-downgrade attacks.max-age=63072000; includeSubDomains; preload
Content-Security-PolicyWhitelists what can execute — the strongest XSS containment a site can ship.default-src 'self'; script-src 'nonce-…'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'
X-Content-Type-OptionsStops browsers MIME-sniffing responses into executable types.nosniff
Frame ancestors / X-Frame-OptionsPrevents your pages being framed for clickjacking overlays.frame-ancestors 'self' (CSP) or X-Frame-Options: DENY
Referrer-PolicyControls how much of the current URL leaks to other origins.strict-origin-when-cross-origin
Permissions-PolicyDeclares which powerful APIs (camera, mic, geolocation) the page may use.geolocation=(), camera=(), microphone=()
COOP / COEP / CORPCross-origin isolation trio — unlocks SharedArrayBuffer, blocks cross-site leaks.same-origin / require-corp / same-origin
Set-Cookie flagsKeeps session cookies off the wire and out of scripts.Secure; HttpOnly; SameSite=Lax
Field notes

Why headers are the cheapest security you'll ever ship

Security headers are one-line server configs that close entire attack classes. HSTS eliminates protocol-downgrade and cookie-stripping attacks after the first visit. A real Content-Security-Policy turns most cross-site-scripting payloads into console errors instead of account takeovers. nosniff stops a mis-typed upload from executing as script. Compared to almost anything else on a security backlog, the effort-to-protection ratio here is absurd — which is exactly why audits and penetration tests check them first.

The grading in this tool follows the OWASP Secure Headers Project baseline, weighted by real-world impact: HSTS and CSP carry the most points, the cross-origin isolation trio is scored gently because it is context-dependent, and deprecated headers like X-XSS-Protection actually cost you notes rather than earning points — modern browsers ignore them, and the legacy XSS auditor they controlled introduced vulnerabilities of its own. Every verdict cites the exact directive that earned it, so nothing here is a black box.

The most common real-world miss is a CSP that exists but doesn't contain anything: script-src with 'unsafe-inline' and a pile of wildcards is barely better than no policy. The modern pattern is a strict CSP — nonces or hashes plus 'strict-dynamic' — with object-src 'none', base-uri 'self' and frame-ancestors declared. Roll it out in Report-Only mode first (this grader detects and labels that), watch the reports, then enforce.

Headers also intersect with SEO: HTTPS is a ranking signal, and page-experience quality includes not being flagged by the browser. Run the full picture with SEO Audit Pro — it embeds this exact grader as its security category — then fix crawl directives in the Robots.txt Studio and markup in the Meta Tags Studio.

Security Headers Grader FAQs

Have more questions? Contact us

Trusted for Hardening Reviews

4.9
Based on 2,140 reviews

The directive-level CSP linting is what sets this apart — it caught 'unsafe-inline' hiding behind a nonce'd policy on one of our apps. Grades match what our pentest reports flag, and the copy-fix snippets go straight into the nginx config PR.

D
Dana Kowalski
Application security engineer
June 14, 2026

We gate releases on an A grade now. Paste mode means staging sites behind VPN can be checked without exposing anything, and the deprecated-header notes finally got X-XSS-Protection removed from our ancient Apache configs.

R
Ravi Menon
DevOps lead
May 22, 2026

Went from F to A in one afternoon following the fix lines. The explanation of why SameSite=None without Secure is rejected saved me a genuinely confusing debugging session with an embedded widget.

S
Sophie Turner
Full-stack developer
April 18, 2026

Solid OWASP alignment and the point weighting is sensible — HSTS and CSP dominate as they should. I'd love SRI checking of script tags in the same view someday, but for header work this is now my first-stop tool with clients.

J
Jonas Weber
Security consultant
March 9, 2026

Love using our calculator?

Connected instruments

More of SEO Forge

Learn More

Related Articles

Dive deeper with our expert guides and tutorials related to Security Headers Grader

Loading articles...

OWASP baseline · HSTS · CSP · nosniff · frame-ancestors · Referrer-Policy · Permissions-Policy · cookies · paste or first-party fetch · Last reviewed: 2026-07