About

About HeaderCheckr

HeaderCheckr is a free, focused tool for understanding the HTTP security headers a website sends to browsers.

01

Who It Is For

HeaderCheckr is built for developers, founders, agencies, and site owners who want a fast way to review browser-facing security headers.

The tool keeps the scan focused on practical protections that are available to most modern websites, without requiring an account or access to your server.

02

Why This Exists

HTTP response headers can add meaningful protection against common browser-side risks. They help control HTTPS, framing, content loading, referrer sharing, and browser permissions.

HeaderCheckr pairs a simple grading system with clear explanations and practical starting values, so missing headers are easier to understand and fix.

03

How It Works

When you run a scan, HeaderCheckr fetches the public website, follows safe redirects, reads the final response headers, and checks them against a focused security baseline.

The report shows what is present, what is missing, the exact values returned by the server, and developer-friendly raw headers and JSON output.

FAQ

Common questions

What does my score mean?

The score reflects how many of the checked security headers are present on the final response. It is a useful baseline, not a full security audit.

What grades can my site get?

HeaderCheckr grades scans from A+ down to F. A higher grade means more of the recommended browser security headers are present.

How do I get an A+ grade?

An A+ grade means the final response includes every security header HeaderCheckr currently checks for.

What headers do you check for?

HeaderCheckr checks Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

Can I allowlist your scanner IP addresses?

HeaderCheckr is designed for public website checks and does not currently publish a fixed scanner IP range.

Can I identify HeaderCheckr scans by user agent?

Yes. HeaderCheckr sends an identifiable user agent string that includes HeaderCheckr when it fetches a site for analysis.