Tool — Checks Any Live URL

Security Header Grader

Have a website? Eight in ten websites are missing at least one critical security header — leaving their visitors exposed to XSS attacks, clickjacking, and traffic interception. Enter any URL and find out where a site stands, in plain English.

Grade Any Website

What's the security score?

Enter any public URL. Results include every header checked, its current value, and a plain-English explanation. Click More Info on any row for a full fix guide.

The Seven Headers We Check

What's being graded and why

Strict-Transport-Security

Forces HTTPS — prevents SSL stripping attacks where your connection is downgraded to unencrypted HTTP on public Wi-Fi.

Content-Security-Policy

Defines which scripts, styles, and resources are allowed. The primary defence against XSS injection attacks.

X-Frame-Options

Prevents iframe embedding — blocks clickjacking attacks where your site is invisibly layered over another page.

X-Content-Type-Options

Stops browsers from guessing file types — prevents MIME-sniffing exploits where a text file is executed as a script.

Referrer-Policy

Controls URL data shared when visitors click links — stops session tokens and private paths leaking to third parties.

Permissions-Policy

Restricts ad networks and third-party scripts from silently accessing the camera, microphone, and location APIs.

X-XSS-Protection

A deprecated legacy header. Should be explicitly set to 0. Modern browsers have removed the XSS auditor entirely.