Free security header audit - No signup

HTTP Header Checker

Grade any URL's HTTP response headers. We score HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, cross-origin isolation (COOP/COEP/CORP) and cookie flags — then explain how to fix what's missing.

https://

What this HTTP header checker does

Enter any public URL and we fetch it server-side and read the raw HTTP response headers — the invisible instructions a server sends alongside every page. We parse the security-relevant ones, grade each against current best practice, and return an A–F report card with a short explanation and a concrete fix for every finding.

Unlike a simple "is the header present?" check, this tool reads inside each header: it parses your CSP directives, your HSTS max-age, your cookie flags and your Permissions-Policy, and flags contradictions like an obsolete X-Frame-Options sitting next to a modern frame-ancestors.

What gets checked

  • Transport: HTTPS and Strict-Transport-Security (HSTS) strength.
  • Content security: Content-Security-Policy quality, clickjacking protection (frame-ancestors / X-Frame-Options), X-Content-Type-Options.
  • Cross-origin isolation: COOP, COEP and CORP.
  • Privacy & policy: Referrer-Policy and Permissions-Policy.
  • Cookies: Secure, HttpOnly and SameSite flags on every Set-Cookie.
  • Information disclosure: Server and X-Powered-By version leakage.

How the score works

Each header is weighted by importance and contributes a fractional score from 0 to 1 (pass / partial / fail). The final score is the weighted average across every applicable check, rounded, then mapped to a letter grade: A 90+, B 80+, C 70+, D 60+, F below 60. Consistency checks (like a redundant X-Frame-Options) are surfaced for context but never change the score.

Frequently asked questions

Does this change anything on my site?

No. We send a single read-only request and analyze the response headers. Nothing is modified, and we never run active probes such as forged cross-origin requests.

Why did my CSP get only a warning?

A Content-Security-Policy is graded on quality, not just presence. Sources like 'unsafe-inline' or 'unsafe-eval' in script-src, or a wildcard *, weaken the policy and earn a partial score. Use nonces or hashes for inline scripts to reach a full pass.

Do you check TLS / certificate configuration?

Not here — this tool focuses on response headers. Cipher suites and certificate chains are a separate concern; use a dedicated TLS analyzer for those.

Is the report cached?

Yes, for one hour per URL — shorter than our other tools, because security headers often change while you're actively fixing them. Cache hits are labeled in the result.