Free Security Headers Scanner

Enter a public URL. The scanner fetches it via Vercel edge, follows redirects (recording the chain), then grades the response headers against the modern web security baseline: HSTS strength, CSP weaknesses (unsafe-inline / unsafe-eval / wildcard default-src), MIME sniffing protection, clickjacking protection, referrer policy, permissions policy, COOP, and server header leaks. Each finding includes a concrete recommendation.

How to use

  1. 01Type a URL (https:// or http://). Press Scan.
  2. 02Within a second the score card shows a letter grade (A to F) and a numeric score.
  3. 03Read each finding. Green means a meaningful protection is in place. Amber means partial. Red means a header is missing or actively harmful. Each row shows the recommended fix.
  4. 04Open the redirect chain disclosure to see all hops the URL went through before the final response.
  5. 05Click "Copy report" to paste the full grade card and findings into a ticket or audit doc.

FAQ

How is the score weighted?

The maximum is 72 points. CSP and HSTS each weigh 20 (the most consequential). X-Frame-Options / clickjacking weighs 10. Smaller bonuses for X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, and a no-leak Server header. Letter grade: A 90%+, B 75%+, C 60%+, D 40%+, F below 40%.

Why does my site fail HSTS?

Either the header is missing entirely, or max-age is too short. The recommended max-age is 63072000 (2 years). Add includeSubDomains for full protection. Add preload only after submitting to hstspreload.org.

How do I write a strong CSP?

Start with default-src 'self'. Use script-src and style-src to allow your specific scripts and stylesheets. Avoid 'unsafe-inline' and 'unsafe-eval'. Use nonces for inline scripts you cannot eliminate. Test with Content-Security-Policy-Report-Only first.

Is X-Frame-Options or CSP frame-ancestors better?

CSP frame-ancestors is the modern equivalent and supersedes X-Frame-Options. The scanner gives full credit if either is set strongly. If you have both, browsers honor frame-ancestors and ignore X-Frame-Options.

What is Cross-Origin-Opener-Policy for?

COOP prevents an attacker who controls a popup or new window from holding a JavaScript reference to your origin. Setting it to same-origin removes that capability and is required to enable cross-origin isolation features (SharedArrayBuffer).

Why is it warning about a Server header?

A Server header that includes the version (Server: Apache/2.4.41) tells attackers exactly which CVEs to try. Strip the version. Better: drop the header entirely.

Does this work on private intranet URLs?

No. The endpoint blocks any URL whose hostname falls in RFC 1918, loopback, or link-local ranges to prevent the public site being used to scan private networks.

More in Network & Security

📜Log Analyzer📡PCAP Analyzer🛰️HTTP Headers Inspector🧮CIDR / Subnet Calculator🌍DNS Records Lookup📧Email Header Analyzer