Security headers
scored instantly.
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — Kuality checks every HTTP response header that eliminates entire attack classes, grades your configuration, and tells you exactly what to fix.
Missing CSP exposes site to XSS attacks. Missing Referrer-Policy leaks URLs to third parties.
Every security header that matters
Six response headers eliminate entire classes of attacks without touching your application code. Kuality checks all of them, grades each, and recommends production-ready values.
Content-Security-Policy
Prevents XSS by allowlisting sources for scripts, styles, images, and fonts. Missing CSP is the single highest-impact security header gap on the web.
Strict-Transport-Security
Forces HTTPS and prevents SSL-stripping attacks. Kuality checks max-age, includeSubDomains, and preload readiness.
X-Frame-Options
Prevents clickjacking by blocking your page from being loaded in an iframe. Kuality validates DENY or SAMEORIGIN and flags conflicting CSP frame-ancestors directives.
X-Content-Type-Options
Prevents MIME-sniffing attacks by telling browsers to trust the declared content type. Should always be set to nosniff.
Referrer-Policy
Controls how much URL information is sent in the Referer header to third parties. Kuality flags missing policies that leak internal URLs to analytics and ad networks.
Permissions-Policy
Restricts which browser features (camera, microphone, geolocation) can be used by the page and embedded iframes. Replaces the deprecated Feature-Policy header.
Security headers are one of 17 checks in Kuality
Run the headers audit alongside accessibility, Core Web Vitals, broken links, and cookie compliance — all in a single scan, tracked over time, with CI/CD quality gates.
Scan your security headers freeFree plan. No credit card. No install.