Skip to content
HG

Security Headers Grader

Paste a URL and get an instant A+ to F grade on its HTTP security headers — with copy-paste fixes for nginx, Vercel, and Next.js.

Your URL is fetched once by our server to read its response headers. The page body isn't read and nothing is stored beyond standard request logs.
Try:

Share this tool

Security headers are the seatbelts of the web: a handful of HTTP response headers that tell browsers to force HTTPS, refuse injected scripts, block invisible iframes, and keep referrer data private. They protect your visitors against entire attack classes — XSS, clickjacking, downgrade attacks — and most take exactly one line of server configuration.

This grader reads only your response headers (never the page body), scores them against a transparent 100-point rubric, and turns every gap into a ready-to-paste fix for nginx, vercel.json, or next.config.ts. Expand any row to see exactly why it passed or failed and what to change.

Frequently asked questions

What are HTTP security headers?

Security headers are response headers your server sends that tell browsers to enforce protections: Content-Security-Policy blocks injected scripts, Strict-Transport-Security forces HTTPS, X-Frame-Options stops clickjacking, and Referrer-Policy keeps URLs private. Most take a single line of server configuration, which makes them some of the highest-leverage hardening available.

How is the grade calculated?

Eleven checks worth 100 points: Content-Security-Policy (25), Strict-Transport-Security (20), X-Content-Type-Options (10), X-Frame-Options (10), Referrer-Policy (10), then Permissions-Policy, COOP, COEP, CORP, and cookie flags (5 each). A deprecated X-XSS-Protection header costs 2 points. An A+ requires 95 or more plus a passing CSP and HSTS; A is 85+, B 70+, C 55+, D 40+, anything lower is an F.

Will scanning affect the site?

No. Our server makes a single GET request to the URL you enter, reads the response headers, and discards the body immediately without downloading it. It's indistinguishable from one person visiting one page once.

What should I fix first?

Start with the one-line wins: X-Content-Type-Options, X-Frame-Options, and Referrer-Policy each take seconds and carry no breakage risk. Then add Strict-Transport-Security once you're confident everything serves over HTTPS. Save Content-Security-Policy for last — deploy it as Content-Security-Policy-Report-Only first, fix the violations it reports, then switch to enforcing.

More free tools

Privacy

Metadata Viewer

See hidden data in your photos and PDFs: GPS location, camera info, author details.

Security

Password Generator

Generate strong, random passwords with customisable rules. Created locally, never sent anywhere.

Design

Contrast Checker

Test colour combinations against WCAG accessibility standards in real time.

Get new tools first

One email when a new tool ships. No spam, unsubscribe any time.

Need this built into your product?

HG Studio builds custom tools, automations, and web apps. Let's talk.

Work with HG Studio