Is this security headers checker free?

Yes, completely free with no signup required. You can check as many websites as you want.

How does the security headers checker work?

The checker sends up to 3 requests to the target site: an HTTPS GET to read response headers, an HTTP request to test redirect behavior, and a CORS probe to check cross-origin configuration. It analyzes results against 11 security tests based on the Mozilla Observatory algorithm v5. The scan only reads headers — it does not modify anything on the target site.

Will scanning a website cause any damage?

No. The checker sends up to 3 lightweight HTTP requests — identical to what a normal browser does when visiting a page. It is completely non-intrusive and does not attempt to exploit or modify anything.

What is a good security headers grade?

Grades range from A+ to F across 13 levels. An A+ requires a score of 100 or above, meaning all tests pass with extra credit from well-configured headers. Scores of 90–99 earn an A. Anything below C (under 55) indicates significant gaps that should be addressed.

Why are HTTP security headers important?

HTTP security headers instruct browsers to enable built-in security features like XSS filters, clickjacking protection, and HTTPS enforcement. They are a low-effort, high-impact defense layer that takes minutes to configure but protects against entire categories of attacks.

How does scoring compare to Mozilla Observatory?

Our scoring uses the Observatory algorithm v5, starting at 100 and applying penalties and bonuses for each test. We also include additional checks like SRI, CORS, and cookie security analysis with CSRF token detection. The 13-grade scale (A+ through F) matches Observatory's grading system.

FreeSecurity Headers Checker

Analyze any website's HTTP security headers and get an instant grade from A+ to F — based on OWASP recommendations.

Instantly Score Your Security Headers

Drop in a URL. Get a real-time security headers report — no setup, no signup, no waiting.

Instant A+ to F grade
Missing headers identified
Exact score penalties per header
Works on any public website

Security headers grade card showing score summary with A+ to F rating

11 Security Tests Based on OWASP

Every scan runs 11 security checks following the Mozilla Observatory algorithm v5.

Content-Security-Policy (CSP) analysis
HSTS and HTTPS redirect checks
CORS misconfiguration detection
SRI and cookie security analysis

Scoring table showing 11 security test results with pass/fail indicators

Understand Every Security Header

Don't just see the results — understand what each header does and why it matters for your site's security.

Detailed explanation for every header
Score impact breakdown
Clear fix recommendations
CSP, HSTS, CORS, SRI and more

Methodology section showing detailed security header explanations in a card grid

Scan summary: —

Score: 0 / 100

Scan Time: —

Tests Passed: 0 / 0

Test	Score	Reason	Recommendation
* Bonus not applied — base score must be 90+ for extra credit.

What Are HTTP Security Headers?

HTTP security headers are directives sent by a web server that tell browsers how to behave when handling a site's content. They form a critical defense layer against cross-site scripting (XSS), clickjacking, protocol downgrade attacks, and data injection.

CSP

Content-Security-Policy

+10 to -25

The single most effective header against XSS. It specifies which sources the browser should accept for scripts, styles, images, and other resources. A well-configured CSP blocks inline scripts and restricts resource loading to trusted origins.

HSTS

Strict-Transport-Security

+5 to -20

Forces browsers to use HTTPS for all future requests to a domain. Prevents SSL-stripping attacks where an attacker downgrades a connection from HTTPS to HTTP. The preload directive adds your domain to a browser-built-in HTTPS-only list.

XFO

X-Frame-Options

0 to -20

Prevents your pages from being loaded inside iframes on other domains. This is the primary defense against clickjacking — where an attacker overlays invisible iframes to hijack user clicks. CSP frame-ancestors earns a +5 bonus.

Referrer-Policy

+5 to 0

Controls how much referrer information is included with requests. Browsers now default to strict-origin-when-cross-origin, so a missing header no longer penalizes your score. Explicitly setting a strict policy earns bonus points.

Permissions-Policy

Informational

Controls which browser APIs and features (camera, microphone, geolocation, payment, USB) can be used by the page and its iframes. Restricting unused features reduces your attack surface. Detected for visibility but not included in the score.

XCTO

X-Content-Type-Options

0 to -5

Setting this to "nosniff" prevents browsers from MIME-sniffing a response away from the declared Content-Type. Stops attacks where, for example, an uploaded text file gets interpreted as executable JavaScript.

CORS

Cross-Origin Resource Sharing

0 to -50

CORS controls which external origins can access your site's resources. A misconfigured Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials can expose authenticated user data to any website. The checker sends a CORS probe to detect overly permissive configurations.

RED

Redirection (HTTP → HTTPS)

0 to -20

Tests whether the site properly redirects HTTP requests to HTTPS. The checker follows the redirect chain from the HTTP version of your site and verifies it lands on a secure HTTPS URL. Sites that don't redirect or redirect to an insecure destination receive a penalty.

SRI

Subresource Integrity

+5 to -50

SRI ensures that third-party scripts and stylesheets haven't been tampered with by requiring cryptographic hashes in the integrity attribute. If a CDN or external host is compromised, the browser refuses to execute resources that don't match their expected hash.

CORP

Cross-Origin-Resource-Policy

0 to -5

Prevents other sites from loading your resources (images, scripts, etc.) without permission. Setting CORP to "same-origin" or "same-site" blocks unauthorized cross-origin embedding, protecting against Spectre-style side-channel attacks and data leaks.

info

Cross-Origin Isolation (COOP & COEP)

Informational

COOP (Cross-Origin-Opener-Policy) isolates your window from cross-origin popups. COEP (Cross-Origin-Embedder-Policy) ensures all embedded resources are explicitly shared. Together they enable cross-origin isolation for advanced APIs like SharedArrayBuffer. These are analyzed for visibility but not included in the score.

Scoring Methodology

Scoring follows the Mozilla Observatory algorithm v5. The base score starts at 100 and is adjusted by penalties and bonuses across 11 security tests. Extra credit from well-configured headers (like strict CSP or HSTS preloading) only counts if your base score (before bonuses) is 90 or above.

Score	Grade	Meaning
100+	A+	Outstanding — all tests pass with extra credit
95–99	A	Excellent — near-perfect security headers
90–94	A	Strong — core headers well configured
85–89	A-	Very good — minor improvements possible
80–84	B+	Good — most headers present
75–79	B	Above average
70–74	B	Decent — room for improvement
65–69	B-	Fair — several improvements needed
60–64	C+	Below average
55–59	C	Mediocre — significant gaps
50–54	C	Weak — many headers missing
45–49	C-	Poor configuration
40–44	D+	Very poor
35–39	D	Inadequate security headers
30–34	D	Bad — most headers missing
25–29	D-	Very bad
0–24	F	Critical — virtually no security headers

Need a Full DAST Scanner?

Security headers are just one piece of the puzzle. Dynamic Application Security Testing (DAST) tools crawl and attack your web app to find vulnerabilities like SQL injection, XSS, and authentication flaws.

Compare DAST Tools