Fetch a URL and grade its HTTP security headers. Pass url (scheme optional — defaults to https). Returns an overall letter grade + score, the list of present/missing headers, and a per-header analysis with the live value and specific issues for: Strict-Transport-Security (HSTS max-age/includeSubDomains), Content-Security-Policy (flags 'unsafe-inline'/'unsafe-eval'/missing default-src), X-Frame-Options or CSP frame-ancestors (clickjacking), X-Content-Type-Options (nosniff), Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener/Resource-Policy. Also flags Server/X-Powered-By info disclosure. Analyzed from the target's LIVE response headers through an SSRF-guarded fetch (private/loopback targets refused) — an LLM cannot see a site's current headers. For web-app security review, vendor assessment, and CI gates.

Payment Options