Security headers

Grade any site's security headers

Enter a URL and we fetch it from our server and grade the HTTP security headers it sends, from HSTS and CSP to clickjacking and MIME protections. You get a letter grade and copy-paste fixes for nginx or Caddy.

Public sites only. We block private, loopback, and cloud-metadata addresses. The domain you scan joins the public list below (domain and grade only, never who scanned it).

Recently checked

Domains visitors scanned, newest first. Click one to re-test it.

loading…

Most checked

The domains people test the most. Click one to re-test it.

loading…

What leaves your browser, and what this tool keeps

The URL you enter is sent to our server, which fetches that page's headers (not its content) and grades them. We follow up to five redirects and block any that resolve to private or internal addresses. This tool keeps one public record: the scanned domain, its grade, and how many times it has been scanned. It is never connected to whoever scanned it, paths and query strings are discarded, and IP-address scans are kept off the list. Verify in the source.