Audit HTTP security headers for any website. Use when a user asks to check security headers, harden a web server, audit HSTS/CSP/X-Frame-Options compliance,...
Scan any URL for missing or misconfigured security headers and get an actionable report with grades, fix recommendations, and info-leak detection.
python3 scripts/sec_headers.py https://example.com
# Single URL audit
python3 scripts/sec_headers.py https://example.com
# Multiple URLs
python3 scripts/sec_headers.py https://example.com https://google.com https://github.com
# JSON output (for programmatic use)
python3 scripts/sec_headers.py https://example.com --json
# Custom timeout
python3 scripts/sec_headers.py https://example.com --timeout 5
Security headers (graded by severity):
Strict-Transport-Security (HSTS) — HIGHContent-Security-Policy (CSP) — HIGHX-Content-Type-Options — MEDIUMX-Frame-Options — MEDIUMReferrer-Policy — MEDIUMPermissions-Policy — MEDIUMX-XSS-Protection — LOWCross-Origin-Opener-Policy (COOP) — LOWCross-Origin-Resource-Policy (CORP) — LOWCross-Origin-Embedder-Policy (COEP) — LOWInfo leak detection:
Server header (software version disclosure)X-Powered-By (technology stack leak)X-AspNet-Version (framework version leak)| Grade | Score | Meaning |
|---|---|---|
| A | 90–100 | Excellent — all critical headers present |
| B | 75–89 | Good — minor gaps |
| C | 50–74 | Fair — important headers missing |
| D | 25–49 | Poor — significant exposure |
| F | 0–24 | Failing — most headers absent |
pip install requests
ZIP package — ready to use