Headers Grader — HTTP Security Audit

What it is

A security-headers auditor that grades raw HTTP responses across 16 modern checks — the same set a SOC2 reviewer or a Mozilla Observatory scan would cover, run locally in the browser with no upload, no API key, no telemetry.

What it checks

• Strict-Transport-Security — presence, max-age ≥ 1 year, includeSubDomains, preload
• Content-Security-Policy — presence + parses for 'unsafe-inline', 'unsafe-eval', unrestricted * script sources, missing object-src / base-uri / frame-ancestors
• Clickjacking protection — X-Frame-Options vs CSP frame-ancestors, detects ALLOWALL
• X-Content-Type-Options — exactly nosniff
• Referrer-Policy — present, not unsafe-url or no-referrer-when-downgrade
• Permissions-Policy — declared scopes for camera, microphone, geolocation, payment, FLoC
• Cross-Origin policies — COOP, COEP, CORP for Spectre-class isolation
• Set-Cookie flags — Secure, HttpOnly on auth-shaped names, explicit SameSite, SameSite=None + Secure consistency
• Information disclosure — Server version banners, X-Powered-By, X-AspNet-Version
• Deprecated noise — X-XSS-Protection (should be 0)

Each finding is weighted; the score caps at 100 and maps to a letter grade (A+ down to F). Six fixtures pre-loaded — hardened, typical SaaS, default WordPress, frame-able admin, strict CSP with nonce.

Why a tool, not a doc

Security headers are well-documented. The gap isn’t knowledge — it’s the moment between “I should check this” and actually checking it. The team has a deploy window, the CSP got tightened last week, the question is whether anything regressed. A paste-and-go grader closes that gap in 10 seconds. Nothing fancy.

How it ships

Single HTML file, ~22KB. Zero dependencies. The CSP parser, the cookie-flag check, and the scoring weights are 410 lines of vanilla JavaScript. Works offline, works on an audit laptop with no internet, works on internal headers a public scanner can never see.

Open the tool →