@trustyourwebsite/security-headers
Open source · MIT · Zero dependencies

Grade your website's HTTP security headers from A+ to F.

A small Node.js CLI that scans HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy and more, then tells you exactly what's missing and how to fix it. Built by TrustYourWebsite as part of our compliance scanning suite.

Get a free full-site compliance scan → View on GitHub

Quick start

npx @trustyourwebsite/security-headers https://example.com

Requires Node.js 18+. Want the full picture — cookies, DNS auth, accessibility, GDPR cookie consent and more — across your entire site? Run a free scan at trustyourwebsite.com.

Sample output

Security Headers Report
=======================
URL:    https://example.com
Grade:  B (72/100)
TLS:    TLS 1.3

Headers:
   Strict-Transport-Security        max-age=31536000; includeSubDomains
   Content-Security-Policy          MISSING — Add CSP to prevent XSS attacks
   X-Content-Type-Options            nosniff
   X-Frame-Options                   DENY
   Referrer-Policy                   no-referrer-when-downgrade — Consider strict-origin-when-cross-origin
   Permissions-Policy                MISSING — Restrict access to browser features
   X-XSS-Protection                  0 (correctly disabled)
   Cross-Origin-Opener-Policy        MISSING

Information Disclosure:
   Server: nginx/1.24.0 — Remove version number
   X-Powered-By: Express — Remove this header

Recommendations:
  1. Add Content-Security-Policy header (HIGH priority)
  2. Add Permissions-Policy header (MEDIUM priority)
  3. Remove server version from Server header (LOW priority)

Full website compliance scan → https://trustyourwebsite.com

Zero runtime deps

Only Node's built-in node:https, node:http and node:tls. Security tooling should have minimal attack surface.

CI-friendly

Exit-code aware --ci mode with a configurable --min-grade. Drop it into GitHub Actions or GitLab CI in one line.

Real CSP parser

Doesn't just check if CSP exists. Parses every directive, flags unsafe-inline, unsafe-eval, wildcards and other footguns with specific fix advice.

Headers we check

HeaderWeightWhat we check
Strict-Transport-SecurityHighmax-age ≥ 1 year, includeSubDomains, preload
Content-Security-PolicyHighDangerous values, directives, wildcards
X-Content-Type-OptionsMediumMust be nosniff
X-Frame-OptionsMediumDENY or SAMEORIGIN
Referrer-PolicyMediumPrivacy-respecting values
Permissions-PolicyMediumDangerous features restricted
Cross-Origin-Opener-PolicyMediumsame-origin preferred
Cross-Origin-Resource-PolicyLowsame-origin or same-site
Cross-Origin-Embedder-PolicyLowrequire-corp for isolation
Cache-ControlLowno-store or private for sensitive pages
X-XSS-ProtectionLowDeprecated — should be 0 or absent

Drop into CI

# GitHub Actions
- name: Check security headers
  run: npx @trustyourwebsite/security-headers https://your-site.com --ci --min-grade B

Headers are one piece of the compliance puzzle.

A real audit also covers cookie consent, GDPR, DNS email auth (SPF / DKIM / DMARC / BIMI / MTA-STS), accessibility, TLS configuration and broken-link health — on every page of your site. TrustYourWebsite runs all of those automatically and gives you a single fix-it report.

Run a free scan at trustyourwebsite.com →

dns-auth-check

Audit SPF, DKIM, DMARC, BIMI and MTA-STS for any domain.

cookie-consent-validator

Verify cookie banners actually stop tracking when users click "Reject All".