Which headers should every site set?

At minimum: Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff, and X-Frame-Options or a frame-ancestors CSP. A full Content-Security-Policy is the gold standard.

Will adding these headers break my site?

HSTS, X-Content-Type-Options and Referrer-Policy are safe to add. Content-Security-Policy needs testing first, ideally in report-only mode.

Do you store the URLs I check?

No — scans run on request and nothing is logged or stored.

HTTP Security Headers Grader

Scan a website’s HTTP response headers and grade its security posture.

About the HTTP Security Headers Grader

Security headers tell browsers how to protect your visitors from attacks like cross-site scripting, clickjacking and protocol downgrade. Missing headers are a common, easily-fixed weakness.

This grader fetches a URL and checks for the six most impactful security headers, then assigns a grade so you can see at a glance what to harden.

Frequently asked questions

More free tools

Domain WHOIS DNS Lookup Reverse DNS / PTR IP Lookup HTTP Header Checker Port Checker Website Up / Down SSL Certificate Checker

HTTP Security Headers Grader

About the HTTP Security Headers Grader

Frequently asked questions

More free tools

Ready to make your website faster?

Client Login

Choose Currency