Scan your site for security headers
Check if your website has the right HTTP security headers. Get an A-F grade, detailed analysis, and copy-paste fix code for your framework. Free for one-off scans. See Pro plans →
We send a single HEAD request to fetch response headers. No data is stored.
10 Headers Checked
HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and more critical security headers.
Framework Fix Code
Get copy-paste remediation code for Next.js, Express, Nginx, Apache, and Cloudflare Workers.
Instant Results
No signup required for basic scans. Enter a URL, get your grade in seconds with actionable recommendations.
Frequently asked questions
What security headers does HeaderGuard check?
We check 10 critical HTTP security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy.
How is the A–F grade calculated?
Each header is weighted by its security impact. Critical headers like HSTS and CSP carry more weight. Missing a critical header gives an F; a misconfigured one may give a C or D. The overall grade is a weighted average of all header grades.
Does scanning my site affect its performance or availability?
No. HeaderGuard sends a single HEAD request to fetch HTTP response headers. No page content is downloaded, no forms are submitted, and no data from your site is stored.
What is included in HeaderGuard Pro?
Pro ($9/mo) adds unlimited scans, daily automated monitoring with Slack and email alerts, CI/CD API integration, bulk sitemap scanning, 90-day header history, and PDF/JSON report export.
Do I need an account to scan?
No. Free scans (up to 3 per day) require no signup. Create an account to unlock Pro monitoring features.