Security headers grade

Grade a site's HSTS, CSP, X-Frame-Options and more, A–F, with fixes.

Create a free SJ Monitor account to watch your site's uptime and SSL around the clock and get alerted the moment it goes down. Start free →

This security headers test fetches your site's HTTP response and grades the protective headers it returns on an A-F scale. It checks for HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and related directives, then explains what each missing or misconfigured header exposes you to. A low grade often means clickjacking, MIME-sniffing, or downgrade attacks are easier than they should be, with concrete fixes listed per header. Because grades slip whenever a deploy changes configuration, SJ Monitor's HTTP monitoring can re-check and alert you over time.

Frequently asked questions

What's a good security headers grade?

Aim for an A or B; that usually means HSTS and a real Content-Security-Policy are present alongside the core anti-framing and content-type protections. A C or below signals important headers are missing.

Why does my grade keep changing?

Grades shift when deploys, CDN settings, or framework updates alter response headers. SJ Monitor's HTTP monitoring re-checks your site and alerts you if a header is dropped.

Can I scan more than five times a day?

The free tool allows 5 scans per day on one URL; a paid plan removes that limit and adds scheduled re-scans, saved history, and branded PDF reports.

What's the single biggest header to add first?

Strict-Transport-Security (HSTS), which forces browsers onto HTTPS and closes the downgrade window. A solid Content-Security-Policy is the next highest-impact addition, though it takes more tuning.

Will adding a Content-Security-Policy break my site?

It can if a strict policy blocks inline scripts or third-party resources you rely on. Roll it out with Content-Security-Policy-Report-Only first to see what would break before enforcing it.

Do security headers help with SEO?

Not directly, but HTTPS and a secure, trustworthy setup support overall site quality. The headers' real value is protecting users from clickjacking, MIME-sniffing, and downgrade attacks.

More SSL/TLS & security tools tools

Certificate decoder CSR decoder HSTS checker Mixed content checker SSL certificate checker SSL chain checker TLS / cipher scan
All SSL/TLS & security tools tools → · Browse every tool →

Want this checked automatically and around the clock? Create a free SJ Monitor account and we'll alert you the moment something changes.

Share this tool: X LinkedIn Facebook Reddit Email

We use essential cookies to run SJ Monitor (sign-in, security). See our privacy policy.