Free Tool

Free HTTP Header Checker

Inspect every HTTP response header, get a security grade (A+ → F), and see exactly which security headers are missing or misconfigured.

How it works

Paste a URL

We follow redirects and fetch the final response, capturing every header.

Score security headers

HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy — each rated and explained.

Read the grade

A simple A+ → F grade based on what's present, plus the full header dump for debugging.

Frequently asked questions

What grade should I aim for?+

A or A+. Most production SaaS sites get there by setting HSTS, CSP, X-Content-Type-Options, Referrer-Policy, and a Permissions-Policy. Frame-ancestors in CSP can replace X-Frame-Options.

Why does my page have HSTS but get a warning?+

max-age below 6 months (15552000 seconds) downgrades the rating. Bump to a year (31536000) for production.

What about caching headers?+

We show every response header in the bottom section — Cache-Control, ETag, Age, Vary, etc. The security grade focuses specifically on the headers that affect attack surface.

Does this follow redirects?+

Yes. We follow up to the default redirect limit and grade the headers on the FINAL response (the one the browser actually renders).

Building a SaaS that needs custom domains?

Domainee is the API for adding customer custom domains to your product. One CNAME, automatic TLS, no DevOps to staff.

Start for free Read the docs

50 custom domains and 100 GB bandwidth free, forever.

More free tools

SSL

Free HTTP Header Checker

How it works

Paste a URL

Score security headers

Read the grade

Frequently asked questions

Building a SaaS that needs custom domains?

More free tools

Free SSL Certificate Checker

Free DNS Record Lookup

Free WHOIS Lookup

Free CNAME Lookup & Generator

Free DNS Propagation Checker

Free Custom Domain Cost Calculator