Free website tool

Free Security Headers Grade

Evaluate HTTP security headers including Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. Get a letter grade (A+ to F).

Security

Methodology

1Sends an HTTP request and inspects 6 critical security headers: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
2Each header is graded individually, then combined into an overall letter grade (A+ to F) based on presence and configuration quality.
3Also checks for deprecated headers and common misconfigurations that weaken your security posture.

Next steps

What to do with your results

→Add Content-Security-Policy to prevent XSS attacks — start with a report-only policy and tighten over time.
→Enable HSTS with a minimum max-age of 31536000 (1 year) and include the includeSubDomains directive.
→Set X-Content-Type-Options: nosniff to prevent MIME-type sniffing attacks.
→Set X-Frame-Options: DENY (or SAMEORIGIN) to prevent clickjacking.
→Add Referrer-Policy: strict-origin-when-cross-origin for a good balance of security and analytics.
→Configure Permissions-Policy to restrict access to camera, microphone, and geolocation APIs.

Learn more

Frequently asked questions

Security Headers Grade — Common questions

Is the Security Headers Grade on CheckWebs really free?+

Yes — the Security Headers Grade is 100% free with no signup, no account, and no usage limits. Just enter a URL and get instant results.

How accurate is the Security Headers Grade?+

Our Security Headers Grade runs live checks against the target website in real time. Results reflect the current state of the site at the moment you run the check — not cached or historical data.

What is a good security headers grade?+

Grade A or A+ means all critical headers (CSP, HSTS, X-Frame-Options, etc.) are present and properly configured. Most sites score C or D — fixing this is a quick win.

Which security header is most important?+

Content-Security-Policy (CSP) is the most impactful — it prevents XSS attacks by controlling which scripts can execute. HSTS is second, enforcing HTTPS on all connections.

Can missing security headers affect SEO?+

Indirectly yes — Google's Page Experience signals consider site security. A hacked site (due to missing headers) will be demoted or delisted.

Loading CheckWebs…

Home/Tools/Security/Sec Headers

Free website tool

Free Security Headers Grade

Security

Methodology

1Sends an HTTP request and inspects 6 critical security headers: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
2Each header is graded individually, then combined into an overall letter grade (A+ to F) based on presence and configuration quality.
3Also checks for deprecated headers and common misconfigurations that weaken your security posture.

Next steps

What to do with your results

→Add Content-Security-Policy to prevent XSS attacks — start with a report-only policy and tighten over time.
→Enable HSTS with a minimum max-age of 31536000 (1 year) and include the includeSubDomains directive.
→Set X-Content-Type-Options: nosniff to prevent MIME-type sniffing attacks.
→Set X-Frame-Options: DENY (or SAMEORIGIN) to prevent clickjacking.
→Add Referrer-Policy: strict-origin-when-cross-origin for a good balance of security and analytics.
→Configure Permissions-Policy to restrict access to camera, microphone, and geolocation APIs.

Learn more

Frequently asked questions

Security Headers Grade — Common questions

Is the Security Headers Grade on CheckWebs really free?+

Yes — the Security Headers Grade is 100% free with no signup, no account, and no usage limits. Just enter a URL and get instant results.

How accurate is the Security Headers Grade?+

Our Security Headers Grade runs live checks against the target website in real time. Results reflect the current state of the site at the moment you run the check — not cached or historical data.

What is a good security headers grade?+

Grade A or A+ means all critical headers (CSP, HSTS, X-Frame-Options, etc.) are present and properly configured. Most sites score C or D — fixing this is a quick win.

Which security header is most important?+

Content-Security-Policy (CSP) is the most impactful — it prevents XSS attacks by controlling which scripts can execute. HSTS is second, enforcing HTTPS on all connections.

Can missing security headers affect SEO?+

Indirectly yes — Google's Page Experience signals consider site security. A hacked site (due to missing headers) will be demoted or delisted.

Free Security Headers Grade

Methodology

What to do with your results

Related guides

Security Headers Grade — Common questions

Free Security Headers Grade

Methodology

What to do with your results

Related guides

Security Headers Grade — Common questions