Security Headers

Security headers checker with letter grade, severity levels, batch scan, site compare, fix snippets, and shareable report card.

Inspect HTTP security headers on any site and get an instant letter grade — now with severity levels, fix snippets for Nginx/Apache/Express/Cloudflare, batch scanning, and side-by-side site comparison. Security Headers scans any webpage's HTTP response headers and grades them A+ through F based on security best practices, weighted by real-world impact severity. WHAT'S NEW IN v1.1.0: Severity Levels — Missing headers are classified as Critical (CSP, HSTS, X-Frame-Options), Important (Referrer-Policy, X-Content-Type-Options, Permissions-Policy), or Optional (COEP, CORP, COOP). Your grade is weighted accordingly so you can triage fast. Fix Recommendations with Copy-to-Clipboard — Every missing or weak header now shows exactly what to add, with tabs for Nginx, Apache, Express/Node, and Cloudflare. One click to copy the snippet. Batch Scan — Paste a list of URLs, scan them all, see results sorted by grade, and export as CSV. Perfect for auditing an entire domain portfolio. Compare Two Sites — Side-by-side grade cards and full per-header diff. Great for "our site vs competitor" or "staging vs prod" audits. Share Report as PNG — Canvas-rendered grade card you can copy to clipboard or download. Shareable on Slack, social media, or bug tickets. Detailed Attack Explanations — Every header now shows the attack it prevents and a real-world breach example (British Airways CSP bypass, Firesheep HSTS, Twitter clickjacking worm, Spectre COEP, and more). Headers checked: - Content-Security-Policy (CSP) - Strict-Transport-Security (HSTS) - X-Content-Type-Options - X-Frame-Options - X-XSS-Protection - Referrer-Policy - Permissions-Policy - Cross-Origin-Opener-Policy (COOP) - Cross-Origin-Resource-Policy (CORP) - Cross-Origin-Embedder-Policy (COEP) Who is this for? - Web developers verifying security headers before deployment - Security engineers auditing websites for compliance - DevOps teams checking header configurations at scale - Anyone curious about a website's security posture Privacy: Security Headers does not collect, transmit, or share any data. Scan history and preferences are stored locally using Chrome's built-in storage. No analytics, no telemetry, no third-party services.