SEOlust
Security

Security Header Strength Checker

Grade security headers with detailed scoring, letter grades (A+ to F), and actionable recommendations.

All tools

🔒 Security Header Strength Checker

Analyze and grade your website's security headers with detailed scoring and recommendations.

💡 What We Analyze

Critical (40%):
• HSTS - Forces HTTPS
• CSP - Prevents XSS attacks
Important (35%):
• X-Frame-Options
• X-Content-Type-Options
• Referrer-Policy
Recommended (25%):
• Permissions-Policy
• COOP, CORP, COEP

Security Header Strength Checker - Grade Your Website Security

Analyze and grade your website's security headers with our comprehensive Security Header Strength Checker. Get detailed scores (0-100) and letter grades (A+ to F) for 9 critical security headers including HSTS, CSP, X-Frame-Options, and more. Receive actionable recommendations to improve your security posture and protect against XSS, clickjacking, and other web attacks.

What is a Security Header Strength Checker?

A Security Header Strength Checker is an advanced analysis tool that evaluates the quality and configuration of your website's HTTP security headers, providing detailed grading and scoring for each header. Unlike basic checkers that only verify presence, our strength checker analyzes configuration quality with 9 security headers examined: Strict-Transport-Security (HSTS) for HTTPS enforcement, Content-Security-Policy (CSP) for XSS prevention, X-Frame-Options for clickjacking protection, X-Content-Type-Options for MIME sniffing prevention, Referrer-Policy for privacy control, Permissions-Policy for feature restrictions, Cross-Origin-Opener-Policy (COOP) for window isolation, Cross-Origin-Resource-Policy (CORP) for resource protection, and Cross-Origin-Embedder-Policy (COEP) for embedding control. Each header receives individual scoring from 0-100 based on configuration strength with letter grades from A+ (excellent) to F (missing/poor), weighted overall score that prioritizes critical headers, specific issues identified in current configuration, and actionable recommendations with exact header values to implement. Perfect for security audits ensuring compliance with best practices, penetration testing and vulnerability assessments, DevSecOps workflows and CI/CD integration, compliance checks for PCI-DSS and GDPR requirements, and client reporting with professional grades and scores.

Understanding the Grading System

Our grading system uses weighted scoring to accurately reflect your security posture across different header priorities.

  • Critical Headers (40% weight): HSTS and CSP are weighted heavily as they prevent the most severe attacks like SSL stripping and XSS exploitation
  • Important Headers (35% weight): X-Frame-Options, X-Content-Type-Options, and Referrer-Policy provide essential protection against clickjacking, MIME attacks, and privacy leaks
  • Recommended Headers (25% weight): Permissions-Policy, COOP, CORP, and COEP add modern defense-in-depth protection for cross-origin attacks
  • Individual Scoring: Each header scored 0-100 based on configuration quality with specific criteria for optimal values, deductions for weak settings, bonus points for security enhancements
  • Letter Grades Explained: A+/A/A- (85-100) = Excellent security configuration, B+/B/B- (70-84) = Good with room for improvement, C+/C/C- (55-69) = Basic security needing attention, D/F (0-54) = Poor security requiring urgent action
  • Overall Score Calculation: Weighted average of all header scores with missing headers receiving 0 points, rounded to nearest integer for clarity

How to Use This Tool

Using our Security Header Strength Checker provides instant, comprehensive security analysis.

  • Enter Your URL: Type or paste your website URL in the input field with or without https:// prefix - the tool adds it automatically if needed
  • Submit for Analysis: Click 'Check Security Headers' to fetch and analyze your site's response headers using secure cURL connection with 30-second timeout
  • Review Overall Score: See your overall security score (0-100) and letter grade (A+ to F) calculated using weighted algorithm that prioritizes critical headers with breakdown showing headers present vs missing
  • Examine Individual Headers: Each of 9 security headers analyzed separately with own score and grade, organized by importance (Critical, Important, Recommended), color-coded cards for quick identification (green=good, red=poor)
  • Understand Issues and Recommendations: For each header see specific problems with current configuration, exact header values to add or modify, best practices for optimal security
  • Download or Copy Report: Use action buttons to copy summary to clipboard for quick sharing, download full report as text file for documentation, print report for security audits and compliance checks
  • Implement Improvements: Follow specific recommendations for each header with exact Apache/Nginx configuration examples, re-test after changes to verify improvements, track progress from F to A+ grade over time

Security Headers Analyzed

Our tool provides detailed analysis for 9 essential security headers with specific grading criteria.

  • Strict-Transport-Security (HSTS): Grading checks max-age value (50 points for ≥1 year), includeSubDomains directive (25 points), preload directive (25 points). Best config: max-age=31536000; includeSubDomains; preload
  • Content-Security-Policy (CSP): Base 30 points for presence, -20 points for unsafe-inline directive, -15 points for unsafe-eval, +30 points for 3+ directives configured. Best config: default-src 'self'; script-src 'self' 'nonce-{random}'
  • X-Frame-Options: DENY = 100 points (maximum protection), SAMEORIGIN = 90 points (allows self-framing), ALLOW-FROM = 40 points (deprecated). Best config: DENY
  • X-Content-Type-Options: nosniff = 100 points (perfect), any other value = 20 points (invalid). Best config: nosniff
  • Referrer-Policy: no-referrer = 100 points, strict-origin-when-cross-origin = 95 points, same-origin = 95 points, unsafe-url = 10 points. Best config: strict-origin-when-cross-origin
  • Permissions-Policy: 5+ features restricted = 90 points, 3-4 features = 70 points, 1-2 features = 50 points. Best config: camera=(), microphone=(), geolocation=()
  • Cross-Origin-Opener-Policy (COOP): same-origin = 100 points, same-origin-allow-popups = 80 points, unsafe-none = 30 points. Best config: same-origin
  • Cross-Origin-Resource-Policy (CORP): same-origin = 100 points, same-site = 85 points, cross-origin = 50 points. Best config: same-origin
  • Cross-Origin-Embedder-Policy (COEP): require-corp = 100 points, credentialless = 90 points. Best config: require-corp

Common Security Issues Identified

Our tool identifies and explains common security header misconfigurations with specific fixes.

  • Missing HSTS Header: Risk is browsers don't enforce HTTPS allowing SSL stripping attacks and protocol downgrades. Quick fix for Apache: Header always set Strict-Transport-Security max-age=31536000; includeSubDomains
  • Weak HSTS Configuration: Short max-age values (e.g., 86400 for 1 day) don't provide lasting protection. Fix: Increase to 1 year (31536000) or 2 years (63072000 seconds)
  • CSP with unsafe-inline: Minimal XSS protection when unsafe-inline allows inline scripts. Fix: Remove unsafe-inline and use nonces or hashes for scripts
  • Missing X-Frame-Options: Site vulnerable to clickjacking where attackers embed your site in invisible iframes. Fix: Add X-Frame-Options: DENY or SAMEORIGIN
  • Weak Referrer Policy: Using unsafe-url or default policy leaks full URLs including sensitive parameters. Fix: Set Referrer-Policy: strict-origin-when-cross-origin
  • Missing Cross-Origin Headers: Site lacks modern isolation from cross-origin attacks. Fix: Add COOP, CORP, and COEP headers for defense-in-depth

Pro Tip

Start with critical headers first - implement HSTS and CSP before worrying about recommended headers as these provide the most significant security improvements. Don't skip HSTS even if it seems complex as basic max-age=31536000 is better than nothing. Build CSP gradually using Content-Security-Policy-Report-Only to test without breaking functionality, review reports for a week and adjust policy, then switch to enforcing mode. Test after each change in staging environment before deploying to production using browser developer tools to check for console errors. Use 'always' flag in Apache and Nginx to ensure headers are sent with all responses including errors. Don't obsess over getting A+ immediately - focus on fixing critical issues first (missing HSTS, weak CSP) then improve incrementally. Even moving from F to C is significant progress. Before enabling HSTS with includeSubDomains ensure all subdomains support HTTPS as HSTS forces HTTPS on all subdomains. Monitor CSP violations by implementing report-uri or report-to directive using services like report-uri.com for free CSP violation monitoring. Use both X-Frame-Options and CSP frame-ancestors directive for comprehensive clickjacking protection as older browsers support X-Frame-Options while modern browsers prefer CSP. Review headers quarterly and update based on new recommendations by subscribing to security bulletins and monitoring this tool for updates. Document your configuration keeping records of which headers are implemented and why specific values were chosen for audits and team onboarding. Combine headers with other security measures including input validation, output encoding, secure authentication, regular updates, and security monitoring for defense-in-depth strategy. The overall score uses weighted calculations that prioritize critical headers (HSTS 20%, CSP 20%) over recommended ones (COEP 5%) reflecting real-world security impact. If you can only implement one header make it HSTS as it prevents SSL stripping attacks and is relatively simple to configure for immediate security improvement.

FAQ

Is this tool free to use?
Yes! Our Security Header Strength Checker is completely free with no limits, no registration required, and no hidden costs. Check unlimited URLs and receive comprehensive security analysis at no charge.
What's the difference between presence checking and strength checking?
Basic header checkers only verify if a header exists. Our strength checker analyzes configuration quality and identifies specific weaknesses like short HSTS max-age or CSP with unsafe-inline, providing letter grades based on industry best practices and real-world security value.
Why did I get a low score even though some headers are present?
Presence alone doesn't guarantee security. For example, HSTS with max-age=86400 (1 day) scores much lower than max-age=31536000 (1 year). CSP with 'unsafe-inline' provides minimal XSS protection despite being present. Our grading reflects real-world security value.
Should I aim for 100/100 A+ score?
While A+ is ideal, don't let perfect be the enemy of good. A score above 85 (A-) provides excellent security for most sites. Focus on critical headers first (HSTS, CSP) then improve incrementally. Some headers may not apply to your use case.
How often should I check my security headers?
Check after initial implementation, after server configuration changes, and quarterly as part of regular security audits. Also check when security best practices change or when you receive security recommendations from penetration testing.
Will adding these headers break my website?
Properly configured headers shouldn't break functionality, but poor configurations can. For example, strict CSP might block legitimate inline scripts. Always test in development first and use report-only modes (CSP-Report-Only) to test without breaking production.
Do these headers replace other security measures?
No. Security headers are one layer in defense-in-depth strategy. You still need secure coding practices, input validation, output encoding, authentication/authorization, regular updates, firewall rules, and security monitoring.
Can I export results for compliance documentation?
Yes! Use the 'Download Report' button to save a complete text report with all scores, grades, and recommendations. The report is suitable for audit documentation, compliance checks, and security assessments.
Why does my score differ from other header checking tools?
Different tools use different grading algorithms and weight headers differently. We use a weighted system that prioritizes critical headers (HSTS, CSP) over recommended ones reflecting real-world security impact rather than treating all headers equally.
What web server software is needed?
All major web servers support security headers: Apache, Nginx, IIS, Cloudflare, AWS, and others. Implementation syntax varies by server - check our recommendations section for specific examples for your server type.
How accurate is the grading?
Our grading is based on industry best practices from OWASP, Mozilla Observatory, and security research. Scores reflect real-world security value with specific criteria for each header based on proven attack prevention effectiveness.
Can I check headers on localhost or development sites?
The tool needs to access the URL via HTTP/HTTPS, so it can check any publicly accessible site. For localhost or internal sites, you'll need to check headers manually using browser developer tools or curl commands.

Related tools

Pro tip: pair this tool with Email Privacy Checker and Cookie Security Checker for a faster SEO workflow.