HTTP security header check
Paste any URL. We fetch it once and grade the response against seven security headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and COOP. Same rubric as securityheaders.com, no signup, free.
In one line: MyIPSpeed Security Headers grades any public HTTPS URL against the 10 OWASP-recommended response headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, etc.) in under 3 seconds and returns an A–F score plus the exact `curl` command to verify each header yourself.
About HTTP security headers
HTTP security headers are response headers a website sends to tell browsers how to safely render and isolate the page. The 10 we grade are: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Resource-Policy (CORP), and X-XSS-Protection.
How the grade is computed
A perfect A+ requires HSTS with includeSubDomains and preload, a non-trivial CSP (anything beyond default-src self), explicit X-Frame-Options or frame-ancestors, X-Content-Type-Options nosniff, an explicit Referrer-Policy, and a Permissions-Policy that disables at least the camera, microphone, and geolocation. Missing items deduct one letter grade each.
Why each header matters
HSTS forces browsers to refuse plain HTTP, defeating downgrade attacks. CSP defines what scripts, styles, and other resources may load — the single most powerful XSS mitigation. X-Frame-Options prevents clickjacking. X-Content-Type-Options prevents MIME sniffing. Referrer-Policy limits referrer leakage. Permissions-Policy disables browser features the site does not use.
Beyond the grade
Every result includes the exact curl command to verify each header yourself, plus a one-line explanation of what each header does and a link to the canonical specification. No data leaves your browser except the URL you submit, which is fetched once and discarded.
Related reading
The complete 2026 guide to HTTP security headers covers each header in depth with copy-paste defaults for nginx, Apache, and Cloudflare Workers. How we compare to SecurityHeaders.com (Scott Helme).