How to Check Your Security Headers Score
Enter your URL in the Security Headers Scorer — it fetches live headers and scores each one 0–100. The most impactful headers: HSTS (20 points), CSP (25 points), X-Frame-Options (10), X-Content-Type-Options (10), Referrer-Policy (10). A score above 80 means all critical headers are present.
Security headers are the fastest security improvement you can make — one line of server config per header, no code changes required. But most sites are missing the critical ones. A live scan tells you exactly what's absent and what to add.
Check your security headers score →How the score works
| Header | Points | What it protects against |
|---|---|---|
| Content-Security-Policy | 25 | XSS, data injection, clickjacking |
| Strict-Transport-Security | 20 | HTTPS downgrade attacks, cookie hijacking |
| X-Frame-Options | 10 | Clickjacking via iframes |
| X-Content-Type-Options | 10 | MIME-type sniffing attacks |
| Referrer-Policy | 10 | URL leakage to third parties |
| Permissions-Policy | 10 | Browser API abuse (camera, mic, location) |
| Cross-Origin-Opener-Policy | 8 | Tab-napping via window.opener |
| X-XSS-Protection | 7 | Legacy XSS filter (older browsers) |
What each grade means
| Score | Grade | What it means |
|---|---|---|
| 90–100 | A+ | All headers present and correctly configured |
| 80–89 | A | Critical headers present, minor gaps |
| 65–79 | B | Most headers present, CSP or HSTS may be weak |
| 45–64 | C | Several headers missing |
| 25–44 | D | Only 1–2 headers set |
| 0–24 | F | Critical headers missing |
The three headers to add first
If you're starting from zero, these three have the highest impact per line of config:
1. Strict-Transport-Security (20 points)
# Nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
2. X-Content-Type-Options (10 points — easiest win)
# Nginx — one line, no side effects, safe to add immediately add_header X-Content-Type-Options "nosniff" always;
3. X-Frame-Options (10 points)
# Nginx add_header X-Frame-Options "SAMEORIGIN" always;
These three together get you from F to 40 points with three lines of config and zero risk of breaking anything.
Why CSP is last
CSP is worth 25 points but requires knowing every resource your page loads. Add it after auditing your page with CSPFixer — deploying a wrong CSP breaks your site silently.
Vercel — add all headers in vercel.json
{ "headers": [ { "source": "/(.*)", "headers": [ { "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" }, { "key": "X-Frame-Options", "value": "SAMEORIGIN" }, { "key": "X-Content-Type-Options", "value": "nosniff" }, { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }, { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" } ] } ]
}
Difference from securityheaders.com
securityheaders.com gives you a letter grade. The Security Headers Scorer gives you a 0–100 score with per-header breakdown and a direct link to the fix for every failing header — no searching for what to do next.
Scan your site now →