HTTP security headers are instructions a web server sends with every response to tell browsers how to behave. They form a critical defense layer against common attacks without requiring changes to your application code.

Key headers and what they prevent:

• Content-Security-Policy (CSP) — Prevents cross-site scripting (XSS) by restricting which scripts, styles, and resources the browser may load.
• Strict-Transport-Security (HSTS) — Forces browsers to use HTTPS only, preventing man-in-the-middle (MITM) and protocol downgrade attacks.
• X-Frame-Options — Prevents clickjacking by controlling whether your site can be embedded in iframes.
• X-Content-Type-Options — Prevents MIME-type sniffing, stopping browsers from executing files as a different type than declared.
• X-XSS-Protection — Legacy browser filter for reflected XSS (deprecated in modern browsers but still useful).
• Referrer-Policy — Controls how much referrer data is sent to other sites, protecting privacy and sensitive URLs.
• Permissions-Policy — Restricts which browser features (camera, microphone, geolocation) the page can use.

This tool sends a request to the target domain and evaluates each header, scoring your configuration from A (best) to F (critical gaps).