HTTP Security Headers Grader

Paste response headers and get an A-F security grade with remediation advice.

Free HTTP security headers grader. Paste your HTTP response headers and get an A to F grade plus per-header pass or fail for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, and CORP, with recommended values. Runs entirely offline. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How is the grade calculated?

Each security header carries a weight reflecting its importance, with Content-Security-Policy and HSTS weighted highest. The tool sums the points for headers that pass, divides by the maximum, and maps the percentage to a letter from A (90 percent or more) down to F.

Security headers are some of the highest-leverage, lowest-effort defences a web app can deploy, yet they are easy to forget. Paste your HTTP response headers here and get an instant A-F grade with a per-header breakdown and the exact value to add for anything that fails — all computed in your browser, nothing uploaded.

How it works

The grader parses your pasted headers into name/value pairs (case-insensitive) and runs each through a specific rule, not just a presence check:

HeaderPointsPass condition
Content-Security-Policy25Present and free of unsafe-inline / unsafe-eval
Strict-Transport-Security20max-age at least six months (15,552,000 s)
X-Content-Type-Options10Equals nosniff
X-Frame-Options10DENY or SAMEORIGIN, or CSP frame-ancestors set
Referrer-Policy10One of the privacy-preserving values
Permissions-Policy8Present
Cross-Origin-Opener-Policy6Set to an isolation value
Cross-Origin-Resource-Policy6Set to an isolation value
Cross-Origin-Embedder-Policy5Set to require-corp

Points are summed and mapped to a letter grade: A at 90%+, B at 75%+, C at 60%+, D at 45%+, E at 25%+, F below that.

How to capture your headers

The quickest way is a single curl command against your production domain:

curl -sI https://example.com

This prints only the response headers. Copy the output and paste it into the grader. For pages that require authentication, add a session cookie:

curl -sI -H "Cookie: session=yourvalue" https://example.com/dashboard

Alternatively, open Chrome DevTools, go to the Network tab, click the first request for your page, and copy all the response headers from the Headers panel.

Example grade breakdown

A site with HSTS, a clean CSP, nosniff, X-Frame-Options: DENY, and a strict referrer policy but no Permissions-Policy or cross-origin isolation headers typically scores:

  • CSP (25) + HSTS (20) + X-Content-Type (10) + X-Frame (10) + Referrer (10) = 75 points = B

Adding Permissions-Policy (+8) and COOP/CORP (+12) brings it to 95 — an A.

What each header actually defends against

  • CSP — cross-site scripting (XSS): restricts which scripts, styles, and resources the page may load.
  • HSTS — protocol downgrade and cookie hijacking: forces all connections to use HTTPS for the max-age duration.
  • X-Content-Type-Options: nosniff — MIME type confusion attacks: prevents the browser from guessing content type from content, which could cause a JS file served as text/plain to execute.
  • X-Frame-Options / CSP frame-ancestors — clickjacking: prevents the page from being embedded in a frame on another origin.
  • Referrer-Policy — information leakage: controls how much of the current URL is sent as Referer to external sites.
  • COOP / COEP / CORP — cross-origin side-channel attacks (Spectre-class): enables cross-origin isolation so the page cannot share a process with untrusted content.

Notes and tips

  • Prioritise CSP and HSTS first; together they account for over 40% of the score and block the most damaging attack classes.
  • Build CSP in report-only mode first (Content-Security-Policy-Report-Only) to collect violations before enforcing, then switch to the enforcing header.
  • Set headers at the edge (reverse proxy or CDN) so they apply uniformly to every response, including error pages and static assets that your application code might not set headers for.