Scan any site in seconds - CSP, HSTS, clickjacking, cookie flags and TLS expiry graded A+ to F, with copy-paste fixes for next.config.ts and vercel.json. One lifetime key, no per-credit pricing.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadTry it live — no signup
Content-Security-Policy parsed and graded — unsafe-inline and unsafe-eval are called out before an XSS finds them.
max-age, includeSubDomains and certificate days-remaining in one call.
X-Frame-Options or CSP frame-ancestors — either keeps your pages out of hostile iframes.
Every Set-Cookie checked for Secure, HttpOnly and SameSite.
Each failing header ships a ready next.config.ts and vercel.json snippet. Fix in minutes, not sprints.
Wire the REST API into CI or cron and catch regressions the moment a deploy drops a header.
This grade is produced live by HeaderShield's own scanner running against HeaderShield's own response headers — 9 of 9 controls passing, including a strict CSP, HSTS preload, clickjacking DENY and a locked-down Permissions-Policy. Scan us yourself above.
| Feature | Free scanners | HeaderShield |
|---|---|---|
| API access | None — manual scans only | REST API, lifetime key |
| Fix snippets | Generic advice | next.config.ts + vercel.json, copy-paste |
| TLS expiry check | Separate tool | Built into every scan |
| Cookie flags audit | Not included | Secure / HttpOnly / SameSite per cookie |
| CI / cron monitoring | Not possible | One curl in your pipeline |
Redeem your coupon and get a lifetime API key — no recurring billing.