Methodology & privacy

How HardenCheck works

HardenCheck reads your site's HTTP response headers and cookie flags, grades each one, and turns the result into an A–F report card with copy-paste fixes. This page explains what each header does, how the grade is calculated, the limits of fetching headers from the browser, and the privacy guarantee.

Privacy guarantee
The headers we grade
Cookie flags
How the grade is calculated
URL mode & the proxy limit
Get an accurate grade
Not a security audit
Roadmap

The privacy guarantee: it runs in your browser

HardenCheck has no backend. The grading engine is JavaScript that runs locally in this tab. When you paste a header block, every byte stays on your machine — it's never uploaded, logged, or stored.

There is exactly one network exception, and it only applies to URL mode: to read another site's headers from your browser, the request is routed through a public CORS proxy (see below). Paste mode makes no network request at all — load the page once, go offline, and it still grades your headers.

Verify it yourself. Open developer tools, switch to the Network tab, and run a check in paste mode. You won't see any request carrying your headers — because there isn't one.

The headers we grade

HardenCheck grades the response headers that materially change a site's security posture. Severity reflects how much risk a missing or weak header typically adds, on a four-tier scale — Critical, High, Medium, Low — coloured exactly as they appear on the report card. A missing CSP or HSTS is High; a missing frame or sniff protection is Medium; finer-grained controls are Low. The two strongest controls (CSP and HSTS) being absent at the same time escalates to Critical, as does a cookie that sets neither Secure nor HttpOnly.

Header	What it protects against	If missing
`Content-Security-Policy`	Cross-site scripting (XSS) and data exfiltration via injected or compromised scripts.	High
`Strict-Transport-Security`	HTTPS downgrade / SSL-stripping man-in-the-middle attacks.	High
`X-Frame-Options`	Clickjacking via hidden `<iframe>` overlays.	Medium
`X-Content-Type-Options`	MIME-sniffing that can execute a file as script.	Medium
`Referrer-Policy`	Leaking full URLs (with tokens/IDs) to third parties.	Low
`Permissions-Policy`	Unwanted access to camera, microphone, geolocation, etc.	Low
`Cross-Origin-Opener-Policy`	Cross-origin side-channel (Spectre-class) and tab-napping attacks.	Low
`Cross-Origin-Resource-Policy`	Cross-origin leaks of your resources.	Low
`Server` / `X-Powered-By`	Needless disclosure of your stack and versions.	Low

HardenCheck also reads how a header is configured, not just whether it exists. A CSP that allows 'unsafe-inline', an HSTS with a short or zero max-age, or an X-Frame-Options with a non-standard value are all flagged even though the header is technically present.

Cookie flags

Every Set-Cookie line is checked for the three flags that keep a cookie from being stolen or abused:

Secure — the cookie is only ever sent over HTTPS, so it can't be sniffed on an unencrypted connection.
HttpOnly — the cookie is hidden from JavaScript, so a cross-site scripting bug can't read and exfiltrate your session.
SameSite — the cookie isn't sent on cross-site requests (use Lax or Strict), which blocks a large class of cross-site request forgery (CSRF).

HardenCheck only ever shows the cookie's name and its flags — never the cookie value. A cookie missing Secure or HttpOnly is treated as High, since those are the flags that protect a session token; a cookie missing both is wholly exposed (interceptable on plain HTTP and readable by script) and is flagged Critical. Missing only SameSite is Medium.

How the grade is calculated

Grading is deliberately simple and transparent. Every site starts at 100 points. Each issue subtracts points by severity:

Critical −25
High −16
Medium −9
Low −4

The remaining score maps to a letter: A (90+), B (80–89), C (65–79), D (45–64), F (below 45). The weights are heuristics chosen to reward the high-impact headers (CSP, HSTS) most — they're a useful relative signal, not an industry-standard score.

Critical is reserved for the worst combinations: both CSP and HSTS missing at once (the two strongest controls gone together), or a cookie that sets neither Secure nor HttpOnly. A grade-F card only reports "Critical protections are missing" when one of these is actually present.

URL mode and the CORS-proxy limitation

Browsers enforce the same-origin policy: a page on one domain generally cannot read the response headers of another domain. To check a URL anyway, HardenCheck routes the request through a public CORS proxy that fetches your site server-side and returns the headers it saw.

Important caveat: public proxies frequently strip, rewrite, or omit response headers. That means URL mode can under-report (show a header as missing when your server actually sends it) or simply fail to return anything gradeable. When HardenCheck detects that no security headers came back, it says so plainly instead of awarding a bogus failing grade.

The proxy is also a third party that can see the URL it fetches, it can be rate-limited or down, and it can't reach pages behind authentication or on a private network. For all of these reasons, paste mode is the recommended path for an accurate result.

Getting an accurate grade

Read your site's real headers and paste them in:

Use curl. Run curl -I https://your-site.com in a terminal. The -I flag fetches just the response headers. Copy the whole block.
Or use DevTools. Open your site, press F12, go to the Network tab, reload, click the top (document) request, and copy the Response Headers section.
Paste and grade. Switch HardenCheck to paste mode, drop the block in, and you'll get a grade based on exactly what your server sends — with no proxy in the way.

This is a hardening check — not a security audit

Important: HardenCheck grades HTTP response headers and cookie flags only. It is not a security guarantee, certification, or audit. A clean A means your headers are well-configured; it does not mean your site is secure.

Headers are one important layer. A real audit also considers authentication, authorization, dependency vulnerabilities, input validation, business logic, server and network configuration, and your specific threat model — none of which a header grader can see. Use HardenCheck as a fast first pass before you ship, and pair it with the rest of the Copper Bay Labs ship-safety suite. This is a tool, not professional security advice.

On the roadmap

PulseGuard — continuous header monitoring. A one-shot grade is great before launch, but headers regress: a config change or a new deploy quietly drops your CSP. PulseGuard is the paid layer we're building on this engine — scheduled re-checks on a cadence, alerts the moment a protection regresses, and a shareable status page for your header posture. Get early access →

Grade your headers now