HTTP Headers Audit
Run an HTTP security-headers audit on any public site. CSP, HSTS, frame options, cookies, referrer policy. Returns a letter grade and the failing checks.
Why this exists
A counterparty's HTTP security headers are a leading indicator of their security maturity. A site with no CSP, no HSTS, and a B-minus grade is reading "build cycle didn't include security review." Useful as a vendor-risk pre-screen, a marketing-claim cross-check ("we take security seriously"), and a basic check on your own deployments.
Frequently asked questions
What does HTTP Headers Audit grade?
Runs a real fetch against any public-facing URL and grades the response headers using Mozilla's HTTP Observatory rubric — HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cookie flags, and HTTPS upgrade. Returns a letter grade A+ through F plus per-check breakdown.
Why don't you use Mozilla's API?
Mozilla retired the public HTTP Observatory v2 API in 2024. We re-implemented the rubric in our Worker so the tool no longer depends on third-party uptime. Same scoring methodology, instant results, no third-party rate limits.
What does this NOT cover?
TLS quality (cipher suites, cert chain) — that's SSL/TLS Grade. Application-layer vulnerabilities (XSS, CSRF, auth flaws) — that needs DAST/SAST tools. CDN configuration. This is specifically the response-headers layer.