Security headers check
Grade your site's HTTP response headers against HSTS, CSP, X-Frame-Options, and other baseline defenses.
About security headers
Modern browsers respect a set of response headers that limit what your site can do — and what attackers can do to it. They're trivial to add (one config line in nginx, one middleware in Express) and meaningfully reduce attack surface. Most sites are missing at least three of the six commonly-recommended headers.
The grade is weighted roughly by how much each header matters: CSP carries the most weight (it's the strongest defense against XSS), HSTS is next (forces HTTPS), then X-Frame-Options (anti-clickjacking), and so on. An A is achievable for most static sites in under an hour of config work.