I Built a Free HTTP Header Analyzer — and Most Sites Score an F

A few months ago, I was reviewing the Nginx configuration of a side project and decided to run it through a security headers scanner. I pasted the response headers into a popular online tool, hit Enter, and waited.

Grade F. 12/100.

I was stunned. I had HTTPS, a valid certificate, and a modern stack. But I was missing every critical security header. No HSTS, no CSP, no X-Frame-Options. My site was a sitting duck for clickjacking, XSS, and protocol downgrade attacks, and I didn’t even know it.

That experience led me to build DevToolbox HTTP Header Analyzer — a completely client-side tool that grades your security headers from A+ to F, explains every single one in plain English, and gives you ready-to-paste fixes. And it never sends your headers to any server.

Try It Yourself in 15 Seconds

Grade F. 12/100.

Try It Yourself in 15 Seconds

I Built a Free HTTP Header Analyzer — and Most Sites Score an F

I Built a Free HTTP Header Analyzer — and Most Sites Score an F

Related reading

Your HTTP Headers Are a Security Report Card — This Free Tool Grades Them…

Your Security Scanner Flagged Missing HTTP Headers. Here's What Actually…

I built a free cybersecurity scanner that gives any website a security score —…

Stop Pasting URLs into Security Header Sites - Use This CLI

I built a security scanner, never shipped it, and finally finished the job

We scanned 10 well-known sites with our security tool. Here's what we found.

Related reading

Your HTTP Headers Are a Security Report Card — This Free Tool Grades Them…

Your Security Scanner Flagged Missing HTTP Headers. Here's What Actually…

I built a free cybersecurity scanner that gives any website a security score —…

Stop Pasting URLs into Security Header Sites - Use This CLI

I built a security scanner, never shipped it, and finally finished the job

We scanned 10 well-known sites with our security tool. Here's what we found.