VibeSecurely
All tools

Web security

Security Headers Checker

Grade any site's security headers from A to F in seconds.

Checks a public URL - we never store it

We fetch the page from our server (a browser cannot read another site's response headers) and grade what comes back. We never store your URL, and your code and keys are never involved.

About this tool

Check any website's HTTP security headers and get an instant A-to-F grade. See whether Content-Security-Policy, HSTS, X-Frame-Options, and the rest are set, what each one protects against, and exactly which gaps to fix.

Related reading

Frequently asked questions

Does this run in my browser like the other tools?
Not quite, and here is the honest reason: a browser is not allowed to read another website's response headers, so this check is made from our server instead. It requests only the public page you enter - the same response any visitor gets - grades the headers, and never stores your URL. Your code and credentials are never involved.
What grade should I be aiming for?
A or A+ means every core header is in place. B means you have the basics but are missing one or two. C or D means several are absent, and F means almost none are set - which is common for apps shipped straight from an AI builder. Aim for at least an A by adding the missing headers.
Which headers does it check?
The six that matter most: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. It also flags advisories, such as a Server or X-Powered-By header that leaks your software versions, or a CSP weakened by unsafe-inline.
Do good security headers mean my app is secure?
No. Security headers are defense-in-depth - they reduce the damage from clickjacking, XSS, and protocol-downgrade attacks. They do nothing about the flaws that actually breach AI-built apps: exposed databases, broken access control, and leaked API keys. A clean header grade is a good sign, not a clean bill of health.
Why did my site get an F?
Almost always because the headers were never configured, which is the default for most AI-generated and quickly-shipped apps. The fix is usually a few lines in your framework or host config; our Next.js security guide walks through adding each one.