What are HTTP response headers?
Every time a server answers a request, it sends headers alongside the page: metadata describing the content, caching rules, cookies, and security policies. Inspecting them is a quick way to see how a site is configured.
The security headers we grade
- Strict-Transport-Security (HSTS) - forces HTTPS on future visits.
- Content-Security-Policy (CSP) - limits where scripts and resources can load from.
- X-Frame-Options - blocks clickjacking by controlling framing.
- X-Content-Type-Options - stops MIME-type sniffing.
- Referrer-Policy - controls how much referrer data is shared.
- Permissions-Policy - restricts powerful browser features.
How this works
This tool runs on our server, which requests the URL you enter and reports the headers it gets back. Fetching server-side avoids the browser's cross-origin restrictions. We only follow redirects to publicly reachable hosts, read headers (not page content for you), and store nothing.