Get an A–F grade for your site's HTTP security headers without leaving the terminal. Use it as a library, a CLI, or a CI gate that fails deploys on regression.
The flow goes like this:
I wanted step 2 to be npx.
CLI
npx @hailbytes/security-headers https://example.com
Prints a color report to the terminal. Add --json to feed it into other tools, or just rely on the non-zero exit code on grade D or F to use it as a CI gate:
npx @hailbytes/security-headers https://staging.example.com || exit 1
Library
import { analyze } from '@hailbytes/security-headers';
const report = await analyze('https://example.com');
// { grade: 'A+', score: 95, percentage: 95, headers: [...] }
Or pass raw headers (for unit tests, or middleware that wants to grade its own response before sending):
import { analyzeHeaders } from '@hailbytes/security-headers';
const report = analyzeHeaders({
'strict-transport-security': 'max-age=31536000; includeSubDomains',
'content-security-policy': "default-src 'self'",
'x-frame-options': 'DENY',
// ...
});
What it checks
Seven categories — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the Cross-Origin family (COEP/COOP/CORP). Each header gets a numeric score, a status (good / warning / missing / error), and specific remediation strings you can drop straight into a ticket.
The grading scale is the obvious one:
npm install @hailbytes/security-headers
Source: github.com/hailbytes/security-headers — MIT licensed.
More...
The flow goes like this:
- Ship a deploy.
- Alt-tab to securityheaders.com.
- Paste in the URL.
- Squint at the report.
- Realize someone removed the CSP three weeks ago and nobody noticed.
I wanted step 2 to be npx.
CLI
npx @hailbytes/security-headers https://example.com
Prints a color report to the terminal. Add --json to feed it into other tools, or just rely on the non-zero exit code on grade D or F to use it as a CI gate:
npx @hailbytes/security-headers https://staging.example.com || exit 1
Library
import { analyze } from '@hailbytes/security-headers';
const report = await analyze('https://example.com');
// { grade: 'A+', score: 95, percentage: 95, headers: [...] }
Or pass raw headers (for unit tests, or middleware that wants to grade its own response before sending):
import { analyzeHeaders } from '@hailbytes/security-headers';
const report = analyzeHeaders({
'strict-transport-security': 'max-age=31536000; includeSubDomains',
'content-security-policy': "default-src 'self'",
'x-frame-options': 'DENY',
// ...
});
What it checks
Seven categories — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the Cross-Origin family (COEP/COOP/CORP). Each header gets a numeric score, a status (good / warning / missing / error), and specific remediation strings you can drop straight into a ticket.
The grading scale is the obvious one:
| A+ | ≥ 90% |
| A | ≥ 75% |
| B | ≥ 60% |
| C | ≥ 40% |
| D | ≥ 20% |
| F |
npm install @hailbytes/security-headers
Source: github.com/hailbytes/security-headers — MIT licensed.
More...