How is the grade calculated?

Each security header carries a weight reflecting its importance, with Content-Security-Policy and HSTS weighted highest. The tool sums the points for headers that pass, divides by the maximum, and maps the percentage to a letter from A (90 percent or more) down to F.

Why did my CSP fail even though it is present?

A Content-Security-Policy that includes unsafe-inline or unsafe-eval largely defeats its purpose against cross-site scripting, so the grader marks it as failing. Remove those keywords and use nonces or hashes for any inline scripts you genuinely need.

Do I need both X-Frame-Options and CSP frame-ancestors?

CSP frame-ancestors is the modern replacement and is honoured by current browsers, while X-Frame-Options covers older clients. The grader passes the clickjacking check if either is set correctly, but sending both maximises compatibility.

What is a good HSTS max-age?

A max-age of at least six months (15552000 seconds) is recommended, and two years (63072000) with includeSubDomains and preload is ideal for preload-list eligibility. The grader fails HSTS values below the six-month threshold.

Are COOP, COEP, and CORP required?

They are not required for most sites but enable cross-origin isolation, which is needed for powerful features like SharedArrayBuffer and protects against side-channel attacks. They carry smaller weights here, so missing them lowers but does not tank your grade.

HTTP Security Headers Grader

Security headers are some of the highest-leverage, lowest-effort defences a web app can deploy, yet they are easy to forget. Paste your HTTP response headers here and get an instant A-F grade with a per-header breakdown and the exact value to add for anything that fails — all computed in your browser, nothing uploaded.

How it works

The grader parses your pasted headers into name/value pairs (case-insensitive) and runs each through a specific rule, not just a presence check:

Content-Security-Policy (25 pts) must be present and free of unsafe-inline/unsafe-eval.
Strict-Transport-Security (20 pts) must have max-age of at least six months.
X-Content-Type-Options (10 pts) must equal nosniff.
X-Frame-Options (10 pts) must be DENY/SAMEORIGIN, or CSP frame-ancestors must be set.
Referrer-Policy (10 pts) must be one of the privacy-preserving values.
Permissions-Policy (8 pts) present.
COOP (6), CORP (6), COEP (5) set to their isolation values.

Points for passing checks are summed and divided by the maximum to produce a percentage, which maps to a letter grade: A at 90%+, B at 75%+, C at 60%+, D at 45%+, E at 25%+, and F below that.

Example

curl -sI https://example.com

Paste the output. A site with HSTS, a clean CSP, nosniff, DENY, and a strict referrer policy but no Permissions-Policy or cross-origin headers typically lands around a B — solid core protection with room to add isolation headers.

Notes and tips

Prioritise CSP and HSTS first; together they are over 40% of the score and block the most damaging attacks (XSS and protocol downgrade).
Build CSP in report-only mode first (Content-Security-Policy-Report-Only) to find violations before enforcing, then switch to the enforcing header.
Set headers at the edge (reverse proxy or CDN) so they apply uniformly to every response, including error pages and static assets.