AcuityScan

HTTP Headers Check

See every HTTP response header for any URL. Includes security header grading (A+ through F), missing header detection, and categorization into security, caching, and general headers. Like SecurityHeaders.com, but with more context.

All response headersSecurity grade A+ to F10 security headers checkedMissing header detection

The 10 security headers we check

Strict-Transport-Security (HSTS)

High impact

Forces all connections to use HTTPS. Without it, users can be downgraded to insecure HTTP.

Content-Security-Policy (CSP)

High impact

Controls which resources browsers can load. Prevents XSS attacks by blocking unauthorized scripts.

X-Frame-Options

Medium impact

Prevents your page from being embedded in iframes on other domains. Blocks clickjacking attacks.

X-Content-Type-Options

Medium impact

Prevents browsers from MIME-type sniffing. Set to 'nosniff' to avoid content interpretation attacks.

Referrer-Policy

Medium impact

Controls what URL information is sent when users click links to external sites. Prevents data leakage.

Permissions-Policy

Low impact

Controls which browser features (camera, microphone, geolocation) your site can access.

Cross-Origin-Opener-Policy

Low impact

Isolates your browsing context from cross-origin documents. Part of Spectre mitigation.

Cross-Origin-Resource-Policy

Low impact

Controls which origins can load your resources. Prevents cross-origin data leaks.

Cross-Origin-Embedder-Policy

Low impact

Requires all resources to explicitly grant permission to be loaded. Works with COOP for isolation.

X-XSS-Protection

Low impact

Legacy XSS filter (mostly superseded by CSP). Still checked for older browser compatibility.

How grading works

A+
All 10 headers present
A
8-9 headers
B
6-7 headers
C
4-5 headers
D
2-3 headers
F
0-1 headers

Common questions

How do I add security headers?
It depends on your platform. On Cloudflare: use Transform Rules. On Apache: add Header directives to .htaccess. On Nginx: add add_header directives. On Vercel/Netlify: use a headers config file. Our scan results show the exact header values — just copy and paste.
Which headers matter most?
HSTS and CSP have the highest impact. HSTS prevents HTTP downgrade attacks. CSP prevents XSS — the most common web vulnerability. Adding just these two can jump your grade from F to B.
How does this compare to SecurityHeaders.com?
Very similar — we check the same headers and use a comparable grading scale. We also categorize headers into security, caching, and general, and show the full response header dump with copy-all functionality.
My CDN adds headers — does that count?
Yes. We check the final response headers as delivered to the browser. If Cloudflare, Fastly, or your CDN adds security headers, they'll show up and improve your grade.

Related tools

Threat Check Redirect Checker Tech Lookup Is My Site Down?

Want the full picture?

The includes header checking as part of the SSL module, plus 7 other categories.

Run