Grade your security headers. Without pasting your staging URL into someone else's scanner.
Paste the response headers from curl -I or your browser's
network tab. Every security header is explained in plain English and
graded A–F, with the missing or weak ones — CSP,
HSTS, X-Frame-Options and friends — called
out. It all happens in your browser; nothing is uploaded.
Parsed Content-Security-Policy
| directive | sources |
|---|
FAQ
Is my data sent anywhere?+
No. Your headers are parsed, analyzed and graded entirely in your browser — they are never sent to a server. We count anonymous, aggregate usage on our own server (a page view, that an analysis was run) — never your headers, their values, or the host they came from.
How is the grade calculated?+
We check the headers that matter for security — Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy — plus risky information-disclosure headers like Server and X-Powered-By. The score starts at 100 and loses points for each missing or weak header, weighted by severity, then maps to a letter A–F. It is a sensible default, not a substitute for a full pentest.
Where do I get the headers to paste?+
Run curl -sI https://your-site.example and paste the output, or open your browser's devtools, pick a request on the Network tab, and copy its Response Headers. A leading HTTP/2 200 status line is fine — we ignore it. Because everything runs locally, you can safely check an internal or staging host that you would never hand to a third-party scanner.