HTTP Security Headers Grader
loginThis tool is planned for a future release. Authentication and target-ownership verification will be required before it can be enabled.
This tool isn't available in the anonymous view. Sign in to access it.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
Which security headers does this tool grade?
The key headers checked: Content-Security-Policy (XSS mitigation), Strict-Transport-Security (HTTPS enforcement), X-Frame-Options (clickjacking prevention), X-Content-Type-Options: nosniff (MIME sniffing), Referrer-Policy (controls Referer header leakage), and Permissions-Policy (restricts browser features like camera/microphone).
What is the most impactful header to add?
Content-Security-Policy is the most powerful but complex — it restricts which scripts, styles, and resources browsers can load, significantly reducing XSS impact. Start with Strict-Transport-Security (max-age=31536000; includeSubDomains) as it's easy to add and prevents protocol downgrade attacks.
What score would a typical site get?
Most sites score D or F on automated header graders — missing CSP and Permissions-Policy is very common. An A grade requires all major headers including a non-trivial CSP. Even a B (HSTS + X-Frame-Options + nosniff + Referrer-Policy without CSP) significantly improves baseline security posture.