Your site probably has an F in security headers.
Let's fix that in 5 minutes.
Paste any URL and get an A–F grade with copy-paste fix code for your exact framework. Next.js, Express, Nginx, Apache, or Cloudflare — we write the snippet, you paste it.
92% of websites are failing basic security header checks.
HTTP security headers are a few lines of server configuration. They stop clickjacking, cross-site scripting, data leakage, and a dozen other attacks before they start. They cost nothing to add. And yet, according to Scott Helme's annual web crawl, 92% of the top 1 million websites score a C or worse.
The problem is not awareness. The problem is friction. The tools that exist tell you what is missing, but not what to write. They assume you already know the difference between an Nginx server block and a Next.js headers() config. Most developers do not, and they should not have to.
You get the grade but not the fix
Existing tools tell you your score. They do not tell you to add headers() to next.config.js, what value to use for Content-Security-Policy, or how to avoid breaking your application. You are left Googling. You give up. Nothing changes.
No one tells you when it breaks
You fixed your headers last quarter. Then a CDN change wiped them. Then a framework upgrade cleared your middleware. You found out from a pen tester six months later. Without monitoring, a one-time fix is not a fix.
Your CI/CD pipeline does not check this
You have automated tests for functionality. You have linters. You have type checking. You have nothing that fails a deployment when your security header grade drops from A to F. That gap is how regressions reach production.
Three steps. Under five minutes.
Paste your URL
Enter any publicly accessible URL. No account required to start. HeaderGuard sends a HEAD request to your server and reads the response headers. No page content is ever fetched or stored.
Get your A–F grade
We evaluate 10 security headers against current best practices — Content-Security-Policy, HSTS, X-Frame-Options, and seven more. You get a letter grade, a numeric score out of 100, and a color-coded breakdown of every header.
Copy your fix and ship it
Select your framework — Next.js, Express, Nginx, Apache, or Cloudflare Workers. HeaderGuard writes the exact configuration code you need to copy into your project. Not generic docs. The specific, correct snippet for your stack.
Everything you need. Nothing you do not.
10 Headers Evaluated
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP, and X-XSS-Protection — every header that matters.
Framework Fix Code
FreeSelect your framework and get the exact snippet. next.config.ts for Next.js. helmet() for Express. add_header for Nginx. Header set for Apache.
Grade Change Alerts
ProHeaderGuard scans your domain daily. The moment your grade changes — up or down — you get a Slack message or email within 1 hour.
Historical Trends
ProSee your security posture over time. A 90-day chart shows every score change so you can correlate regressions with specific deployments.
CI/CD API Integration
ProOne API call in GitHub Actions. If the grade drops below your threshold, the build fails. Keep header regressions out of production automatically.
Bulk Sitemap Scan
ProSubmit your sitemap.xml and scan every page at once. Catch inconsistencies where headers apply to your home page but not app routes.
Shareable Results
FreeEvery scan generates a permanent link you can share with your team, client, or reviewer. No account required to view.
"Secured by HeaderGuard" Badge
ProA dynamic badge displaying your real-time grade. Embed in your site footer or README. Auto-updates to reflect your current score.
Simple, honest pricing
Free forever for casual scanning. Pro for teams that need monitoring and CI/CD integration.
Free
No credit card required
- 10 scans per day
- Full A–F grade with 10-header breakdown
- Framework fix snippets (Next.js, Express, Nginx, Apache, Cloudflare)
- Shareable results link
- 7-day scan history
Pro
Billed monthly. Cancel any time.
- Everything in Free, plus:
- Unlimited scans per day
- Daily automated monitoring (up to 10 domains)
- Slack and email alerts on grade change
- 90-day historical grade trend charts
- Bulk scan via sitemap (up to 100 URLs)
- CI/CD API integration with API key
- 365-day scan history
- "Secured by HeaderGuard" dynamic badge
- Priority email support
No charge until day 8. Cancel before then and pay nothing.
Developers who fixed their headers
“I had an F grade and had no idea. HeaderGuard gave me the exact next.config.js block I needed. Fixed it in 10 minutes, went from F to A. The monitoring is what made me subscribe — I want to know the second something breaks.”
“We use it in our GitHub Actions pipeline. The build fails if we drop below a B. We have not had a header regression in production since we added it. Completely worth $9 a month.”
“I include the scan results link in every client website delivery. It makes the security conversation concrete. Clients understand a grade. They do not understand a list of missing headers.”
Frequently asked questions
Find out your grade right now.
The scan takes 5 seconds. The fix takes 5 minutes. The monitoring takes 5 clicks to set up.
If your site is sitting on a C or below — and statistically, it probably is — you are leaving users exposed to clickjacking, cross-site scripting, and data leakage for no reason other than not knowing the exact lines of configuration to add. Now you know where to get them.