Check what security headers a website is sending and see how well it is protected.

HTTP security header analyzer. Fetches headers for a given URL and grades the presence and configuration of CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and related headers.

Proxied request to retrieve response headers (browser CORS prevents direct header inspection for cross-origin resources). Evaluates: Content-Security-Policy (presence, unsafe-inline/unsafe-eval flags, missing directives), Strict-Transport-Security (max-age threshold, includeSubDomains, preload), X-Frame-Options (DENY/SAMEORIGIN vs ALLOW-FROM), X-Content-Type-Options (nosniff), Referrer-Policy (strictness tier), Permissions-Policy, and Cross-Origin-* headers (COOP, COEP, CORP). Letter grade calculated from weighted score.