Security headers grader

HTTP /api/v1/http/security-headers

A+ to F grade for HSTS, CSP, X-Frame-Options, COOP, Referrer-Policy and more.

Try: https://host.com https://checkhost.com https://hostinfo.com https://crypt.tools

Related: HTTP headers Security headers grader Redirect chain tracer SSL certificate inspector robots.txt parser sitemap.xml inspector

7% — F

URL: https://https://liveimg-cf.afreecatv.com

Status 0 · 10 checks

Strict-Transport-Security

missing — add `max-age≥15552000; includeSubDomains; preload`

+20

Content-Security-Policy

missing — limits XSS blast radius

+25

X-Content-Type-Options

should be `nosniff`

+10

X-Frame-Options / frame-ancestors

prevents clickjacking

+10

Referrer-Policy

controls Referer leakage

Permissions-Policy

restricts powerful features

Cross-Origin-Opener-Policy

COOP isolates browsing context

Cross-Origin-Resource-Policy

CORP blocks cross-origin reads

Server header masked

don't leak version

X-Powered-By absent

don't advertise stack

Sponsored host.tools Pro

Bulk lookups · monitors · webhooks · 10,000 API calls/day

Upgrade to Pro for $19/mo. Cancel anytime. Works with the same API you already use.

Upgrade →

How to use Security headers grader

1

Paste your input

Enter the value at the top — domain, IP, URL, email, ASN, hash, whatever fits this tool. The smart input auto-detects type.
2

Click "Inspect"

host.tools issues real probes (DNS, HTTP, TCP, TLS, WHOIS where applicable) and renders the result in milliseconds.
3

Open the API tab

Every web tool has a sibling /api/v1/http/security-headers JSON endpoint with the same payload. One copy-as-curl click and you're scripting it.

Why this matters

Headers are how the modern web declares its security posture. Auditing them is the highest-ROI thing you can do this week.

API equivalent

/api/v1/http/security-headers?q=https%3A%2F%2Fhttps%3A%2F%2Fliveimg-cf.afreecatv.com

curl -s '/api/v1/http/security-headers?q=https%3A%2F%2Fhttps%3A%2F%2Fliveimg-cf.afreecatv.com'

Embed this tool

<iframe src="/http/security-headers?q={INPUT}&embed=1"
  width="100%" height="600" frameborder="0"></iframe>

Drop into any HTML page. The embed=1 flag hides nav and footer.

FAQ · Security headers grader

Common questions

Is Security headers grader free?

Yes — every tool is free on the web with a 200/hour rate limit per IP. The matching API endpoint /api/v1/http/security-headers is free up to 100 requests/hour, no key required.

Where does the data come from?

Real-time probes against authoritative sources (DNS root, RIRs, registries, the target server itself), plus partner data feeds from hostinfo.com (GeoIP/ASN) and hostcheck.com (reputation).

How fresh are the results?

Live by default. Cached for 5 minutes to make repeat queries instant; pass ?nocache=1 for a forced refresh.

Can I run this from the command line?

Yes — every tool ships with a copy-as-curl. There's also an official CLI: host.tools http security-headers YOUR_INPUT.

Can I monitor results over time?

Pro tier lets you schedule any tool to run every 1/5/15/60 min and alert on diff. See monitors.

host.tools Pro

Run Security headers grader on a schedule. Get pinged when it changes.

Pro gets you bulk lookups, monitors, webhook alerts, history, exports and 10,000 API calls/day. $19/mo.

See pricing Tour monitors

✓Schedule any tool — every 1, 5, 15, 60 min
✓Diff against last run, alert on change
✓Webhook + email + Slack + PagerDuty + OpsGenie
✓Bulk CSV upload, 1,000 inputs per job
✓Export results as CSV / NDJSON / Excel
✓90-day history, comparison view