// Tool
HTTP Security Headers Analyzer
Score the security headers on any site — HSTS, Content Security Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy, and more. Powered by Mozilla's MDN HTTP Observatory backend, which actually fetches your site and grades each header.
A fresh scan typically takes 5–15 seconds. Cached results from MDN may return immediately.
Frequently Asked Questions
Which security headers matter most?
HSTS (forces HTTPS), Content-Security-Policy (the strongest XSS defense), X-Content-Type-Options, and X-Frame-Options or frame-ancestors for clickjacking protection.
What is Content-Security-Policy (CSP)?
CSP is a header that whitelists the sources a page may load scripts, styles, and other content from, sharply reducing cross-site scripting impact. It is also the hardest header to configure correctly.
What does the grade mean?
It is Mozilla HTTP Observatory’s score based on which protective headers are present and correctly configured. Aim for the headers themselves — start with HSTS and a CSP — not just the letter.
