Security Headers Grader
Check the security headers for any public URL and get an instant A+–F grade. Analyses HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, and CORP with per-header recommendations.
Show all response headers
Disclaimer: Free tool provided “as is” by MonitorGiant. No warranty or liability for any data loss, security issues, or infrastructure problems arising from use of this tool. Results are for informational purposes only. · A Free Tool by MonitorGiant
What is Security Headers Grader?
HTTP security headers are server-side instructions that tell browsers how to behave when handling your site's content. They are one of the easiest wins in web security — most can be added in a single line of server config or CDN settings — yet many production sites still receive an F grade. The eight headers checked here cover the most impactful protections: HSTS prevents protocol downgrade attacks, CSP prevents XSS and data injection, X-Frame-Options prevents clickjacking, and the remaining headers control MIME sniffing, referrer leakage, browser feature access, and cross-origin isolation.
How to use this tool
- 1 Enter any public URL into the input field. Use the quick-example buttons to see grades for well-known sites like GitHub or Cloudflare.
- 2 Read the grade banner showing the letter grade (A+–F), numeric score out of 85, and a breakdown of passing, warning, and missing headers.
- 3 Review the per-header result cards — each shows whether the header is present, the actual value returned, what it means, and a specific recommendation if it is wrong or missing.
- 4 Fix missing headers by adding the recommended value to your server config or CDN settings. For Nginx, Apache, Netlify, and Cloudflare, adding a security header is typically a one-line change.
When would you use this?
- Security engineers running a check before a production launch to catch missing headers that would appear in a penetration test.
- DevOps teams verifying headers are still being sent correctly after deploying changes.
- Content teams checking competitor sites to benchmark their own security posture.
- Managers using the letter grade as a quick, shareable indicator for executive reports — an A+ means all critical headers are present and correctly configured.
Want to be alerted the moment a security header disappears from your site after a deployment? MonitorGiant monitors your HTTP headers on a schedule and alerts you to unexpected changes.
Related tools
How works
- 1
Enter any public URL
Type or paste the URL of the page you want to test. Use the quick-example buttons to see grades for well-known sites like GitHub or Cloudflare.
- 2
Read the grade and score
The grade banner shows the letter grade (A+–F), numeric score out of 85, and a breakdown of passing, warning, and missing headers.
- 3
Review per-header results
Each header gets its own card showing: whether it is present, the actual value returned, what it means, and — if it's wrong or missing — a specific recommendation to fix it.
- 4
Fix missing headers
Missing headers are the easiest to fix: for most web servers and CDNs (Nginx, Apache, Netlify, Cloudflare), adding a security header is a one-line config change. The recommendation on each card tells you exactly what to add.
The URL is sent to a MonitorGiant edge server which fetches headers from the target and returns them to your browser. The target URL is not stored or logged beyond the duration of the request.
Comments & Feedback
Found a bug? Have a suggestion? We'd love to hear from you.
Related Tools
From the makers of this tool
Need deeper observability?
MonitorGiant tracks real-time AI performance, infrastructure health, and system reliability — far beyond what free utilities can show.