~/ curl -sI https://…
HTTP Header Checker
Inspect the HTTP response headers of any public site: security-header grade, cookie flags, caching policy and the full redirect chain. Only the headers are fetched — never the page body.
// redirect chain
// security headers
What the grade means
The grade counts the six core security headers every production site should send:
Strict-Transport-Security, Content-Security-Policy,
X-Content-Type-Options, X-Frame-Options (or CSP
frame-ancestors), Referrer-Policy and
Permissions-Policy. All six present is an A; each missing header drops
one letter, and a site served over plain HTTP is capped at D. The grade measures
header hygiene, not overall security — a site can score an A and still be vulnerable
elsewhere.
API
The same check is available as a public JSON endpoint, useful in CI to catch a misconfigured reverse proxy before your users do:
curl 'https://myconf.it/api/headers?url=example.com'
curl 'https://myconf.it/api/headers.md?url=example.com' Only the status line and response headers are fetched and returned — never the body — with at most 5 redirects followed and standard ports only. See the API docs for the response envelope.