Security headers are some of the highest-leverage, lowest-effort defences a web app can deploy, yet they are easy to forget. Paste your HTTP response headers here and get an instant A-F grade with a per-header breakdown and the exact value to add for anything that fails — all computed in your browser, nothing uploaded.
How it works
The grader parses your pasted headers into name/value pairs (case-insensitive) and runs each through a specific rule, not just a presence check:
| Header | Points | Pass condition |
|---|---|---|
| Content-Security-Policy | 25 | Present and free of unsafe-inline / unsafe-eval |
| Strict-Transport-Security | 20 | max-age at least six months (15,552,000 s) |
| X-Content-Type-Options | 10 | Equals nosniff |
| X-Frame-Options | 10 | DENY or SAMEORIGIN, or CSP frame-ancestors set |
| Referrer-Policy | 10 | One of the privacy-preserving values |
| Permissions-Policy | 8 | Present |
| Cross-Origin-Opener-Policy | 6 | Set to an isolation value |
| Cross-Origin-Resource-Policy | 6 | Set to an isolation value |
| Cross-Origin-Embedder-Policy | 5 | Set to require-corp |
Points are summed and mapped to a letter grade: A at 90%+, B at 75%+, C at 60%+, D at 45%+, E at 25%+, F below that.
How to capture your headers
The quickest way is a single curl command against your production domain:
curl -sI https://example.com
This prints only the response headers. Copy the output and paste it into the grader. For pages that require authentication, add a session cookie:
curl -sI -H "Cookie: session=yourvalue" https://example.com/dashboard
Alternatively, open Chrome DevTools, go to the Network tab, click the first request for your page, and copy all the response headers from the Headers panel.
Example grade breakdown
A site with HSTS, a clean CSP, nosniff, X-Frame-Options: DENY, and a strict referrer policy but no Permissions-Policy or cross-origin isolation headers typically scores:
- CSP (25) + HSTS (20) + X-Content-Type (10) + X-Frame (10) + Referrer (10) = 75 points = B
Adding Permissions-Policy (+8) and COOP/CORP (+12) brings it to 95 — an A.
What each header actually defends against
- CSP — cross-site scripting (XSS): restricts which scripts, styles, and resources the page may load.
- HSTS — protocol downgrade and cookie hijacking: forces all connections to use HTTPS for the
max-ageduration. - X-Content-Type-Options: nosniff — MIME type confusion attacks: prevents the browser from guessing content type from content, which could cause a JS file served as
text/plainto execute. - X-Frame-Options / CSP frame-ancestors — clickjacking: prevents the page from being embedded in a frame on another origin.
- Referrer-Policy — information leakage: controls how much of the current URL is sent as
Refererto external sites. - COOP / COEP / CORP — cross-origin side-channel attacks (Spectre-class): enables cross-origin isolation so the page cannot share a process with untrusted content.
Notes and tips
- Prioritise CSP and HSTS first; together they account for over 40% of the score and block the most damaging attack classes.
- Build CSP in report-only mode first (
Content-Security-Policy-Report-Only) to collect violations before enforcing, then switch to the enforcing header. - Set headers at the edge (reverse proxy or CDN) so they apply uniformly to every response, including error pages and static assets that your application code might not set headers for.