Free Tool
Score your HTTP security headers.
Paste a URL — we send a single HTTPS request and grade what your server returns. Anonymous lookups limited to 3/24h.
How HTTP security headers protect you
Browsers respect a set of standardized HTTP response headers that turn off entire classes of attack. CSP kills cross-site scripting. X-Frame-Options blocks clickjacking. Strict-Transport-Security forces HTTPS. We grade the eight most-important headers on a weighted 0-100 scale and surface the exact line you need to add to your reverse proxy.