Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist

Why most sites score D or F

If you run securityheaders.com or our HTTP Security Headers Grader against the top 1,000 small-business websites, roughly 70% will score D or F. Not because the sites are catastrophically insecure — most run on perfectly modern stacks. They score badly because the headers protect against attacks that need explicit opt-in from the site owner, and most owners never opt in.

Six headers, configured correctly, take a typical site from "F" to "A". Most are one-line additions to your nginx or Apache config. None require code changes. None have downside for a normal website.

This article walks through each one with the exact directive to add and the exact thing each one defends against.

Krawly HTTP Security Headers Grader — A-F grade with line-by-line analysis

1. Strict-Transport-Security (HSTS) — the biggest grade lift

What it does: tells browsers to always use HTTPS for your domain, even if a user types `http://` or clicks an old http link. Once a browser sees the header, it remembers — typically for a year — and refuses to make any non-HTTPS request to your site.

Why this matters: without HSTS, a user on a hostile network (coffee shop wifi, hotel) who types `yoursite.com` into the address bar makes a plain HTTP request first. The server redirects to HTTPS — but the initial request is in cleartext, and an attacker can intercept it before the redirect lands.

The directive:

```

Strict-Transport-Security: max-age=31536000; includeSubDomains

```

In nginx:

```

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

```

In Apache:

```

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

```

For Cloudflare-fronted sites: SSL/TLS → Edge Certificates → HSTS → enable.

Caveat: once you ship HSTS, browsers remember it. If you ever need to roll back to HTTP, you can't — the browser refuses. Test thoroughly on a subdomain first. Most sites should be on HTTPS-only anyway in 2026.

2. X-Content-Type-Options: nosniff — easy win, no downside

What it does: tells the browser to trust the `Content-Type` header you send and not "sniff" the file content to guess the type.

Why this matters: without this header, a browser might decide that a file you served as `text/plain` looks like JavaScript and execute it as JS. If an attacker can upload a "txt" file that the browser auto-executes, that's a stored XSS.

The directive:

```

X-Content-Type-Options: nosniff

```

This has zero downside. Set it on every response. The "but my CMS serves files with wrong Content-Type" excuse means your CMS is wrong; fix it.

3. X-Frame-Options: SAMEORIGIN — clickjacking defense

What it does: prevents your site from being loaded inside an `` on someone else's domain.</p><p class="mb-4 text-muted-foreground leading-relaxed">Why this matters: clickjacking attacks load your site (e.g. your bank's login page) in an invisible iframe, overlay a fake UI on top of it, and trick the user into clicking through to the real underlying button.</p><p class="mb-4 text-muted-foreground leading-relaxed">The directive:</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><p class="mb-4 text-muted-foreground leading-relaxed">X-Frame-Options: SAMEORIGIN</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><p class="mb-4 text-muted-foreground leading-relaxed">This allows your own site to embed itself in iframes but blocks anyone else. If you have a legitimate iframe partner (an embed widget), use `Content-Security-Policy: frame-ancestors` instead, which supports a whitelist.</p><h2 class="mt-10 mb-4 text-2xl font-bold text-foreground">4. Referrer-Policy: strict-origin-when-cross-origin — sensible default</h2><p class="mb-4 text-muted-foreground leading-relaxed">What it does: controls how much of the URL is sent in the `Referer` header when users click links from your site to other sites.</p><p class="mb-4 text-muted-foreground leading-relaxed">Why this matters: without setting this, your site leaks the full URL of every page a user was on to every external site they click to. Pages with query parameters (which often contain session IDs, search terms, or PII) leak that data to third parties. Analytics platforms see your private pages.</p><p class="mb-4 text-muted-foreground leading-relaxed">The directive:</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><p class="mb-4 text-muted-foreground leading-relaxed">Referrer-Policy: strict-origin-when-cross-origin</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><p class="mb-4 text-muted-foreground leading-relaxed">This sends the full URL to your own subdomains but only the bare origin (e.g. `https://example.com`) to external sites. Good default for nearly all sites.</p><h2 class="mt-10 mb-4 text-2xl font-bold text-foreground">5. Permissions-Policy — disable unused browser features</h2><p class="mb-4 text-muted-foreground leading-relaxed">What it does: controls which browser features (camera, microphone, geolocation, USB, etc.) your site is allowed to use. Setting them to `()` disables them entirely.</p><p class="mb-4 text-muted-foreground leading-relaxed">Why this matters: even if your site doesn't use the camera, a malicious script injected via XSS could request camera access. Permissions-Policy disables the feature at the HTTP layer so the browser never even shows the prompt.</p><p class="mb-4 text-muted-foreground leading-relaxed">The directive:</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><p class="mb-4 text-muted-foreground leading-relaxed">Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><p class="mb-4 text-muted-foreground leading-relaxed">For sites that DO use specific features (e.g. a mapping app uses geolocation), list them with `self` or specific origins:</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><p class="mb-4 text-muted-foreground leading-relaxed">Permissions-Policy: camera=(), microphone=(), geolocation=(self), payment=(), usb=()</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><h2 class="mt-10 mb-4 text-2xl font-bold text-foreground">6. Content-Security-Policy — the hardest, biggest defense</h2><p class="mb-4 text-muted-foreground leading-relaxed">What it does: tells the browser which sources are allowed to load scripts, styles, images, fonts, and frames. It's the most powerful XSS defense available in 2026.</p><p class="mb-4 text-muted-foreground leading-relaxed">Why this matters: even with input validation and output escaping (which you should do anyway), CSP provides a defense-in-depth layer. If an attacker successfully injects `<script>` into your page, CSP can refuse to execute it because the source doesn't match your whitelist.</p><p class="mb-4 text-muted-foreground leading-relaxed">The directive (start strict):</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><p class="mb-4 text-muted-foreground leading-relaxed">Content-Security-Policy: default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self' data:; frame-ancestors 'self'; base-uri 'self'; form-action 'self'</p><p class="mb-4 text-muted-foreground leading-relaxed">```</p><p class="mb-4 text-muted-foreground leading-relaxed">This is the hardest header to configure correctly because every site has different needs:</p><li class="ml-4 mb-1 text-muted-foreground list-disc">WordPress + Google Analytics needs `script-src 'self' https://www.google-analytics.com`</li><li class="ml-4 mb-1 text-muted-foreground list-disc">Sites using inline event handlers need `'unsafe-inline'` in script-src (defeating most of CSP's value)</li><li class="ml-4 mb-1 text-muted-foreground list-disc">Sites with CSS frameworks need style-src exceptions</li><p class="mb-4 text-muted-foreground leading-relaxed">The pragmatic approach: start with the strict directive above, then loosen it iteratively as you find pages that break. Most sites land on a usable CSP within 2-3 hours of debugging.</p><p class="mb-4 text-muted-foreground leading-relaxed">If CSP feels overwhelming, skip it and ship the other five headers. Those five alone take a site from F to B. CSP is the difference between B and A.</p><h2 class="mt-10 mb-4 text-2xl font-bold text-foreground">The 30-minute audit</h2><p class="mb-4 text-muted-foreground leading-relaxed">For your own site:</p><p class="mb-4 text-muted-foreground leading-relaxed">1. Run <a href="/tool/security-headers-grader" class="text-primary hover:underline">Security Headers Grader</a> on your homepage. Note the current grade.</p><p class="mb-4 text-muted-foreground leading-relaxed">2. Open your web-server config (nginx `.conf`, Apache `.htaccess`, or Cloudflare dashboard if proxied).</p><p class="mb-4 text-muted-foreground leading-relaxed">3. Add the five easy headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy). 5 minutes total.</p><p class="mb-4 text-muted-foreground leading-relaxed">4. Reload your web server. Re-run the grader. You should now be at B.</p><p class="mb-4 text-muted-foreground leading-relaxed">5. Tackle CSP iteratively. Start strict, log violations to a report endpoint, loosen until you stop breaking pages. 1-3 hours depending on site complexity.</p><p class="mb-4 text-muted-foreground leading-relaxed">Total time: 30 minutes to B grade, an afternoon to A grade.</p><h2 class="mt-10 mb-4 text-2xl font-bold text-foreground">What these headers do NOT defend against</h2><p class="mb-4 text-muted-foreground leading-relaxed">Be honest about scope:</p><li class="ml-4 mb-1 text-muted-foreground list-disc"><strong class="text-foreground">They don't fix SQL injection or other input-validation bugs.</strong> CSP can mitigate the effects of stored XSS but not prevent the database from being compromised. You still need parameterized queries, output escaping, and the rest of OWASP Top 10.</li><li class="ml-4 mb-1 text-muted-foreground list-disc"><strong class="text-foreground">They don't help against DDoS.</strong> A WAF or DDoS protection service (Cloudflare's free plan is fine for most sites) does this.</li><li class="ml-4 mb-1 text-muted-foreground list-disc"><strong class="text-foreground">They don't replace authentication and authorization.</strong> Setting good headers on a site with weak passwords is rearranging deck chairs.</li><li class="ml-4 mb-1 text-muted-foreground list-disc"><strong class="text-foreground">They don't make your TLS configuration secure.</strong> Modern TLS (1.2+ with strong ciphers) is a separate concern. Use <a href="/tool/ssl-checker" class="text-primary hover:underline">SSL Checker</a> for that audit.</li><h2 class="mt-10 mb-4 text-2xl font-bold text-foreground">Real numbers from the audit</h2><p class="mb-4 text-muted-foreground leading-relaxed">In a sample of 100 small-business sites I audited in the past month:</p><li class="ml-4 mb-1 text-muted-foreground list-disc">Sites with HSTS: 32 of 100</li><li class="ml-4 mb-1 text-muted-foreground list-disc">Sites with X-Frame-Options: 41 of 100</li><li class="ml-4 mb-1 text-muted-foreground list-disc">Sites with X-Content-Type-Options: 38 of 100</li><li class="ml-4 mb-1 text-muted-foreground list-disc">Sites with Referrer-Policy: 28 of 100</li><li class="ml-4 mb-1 text-muted-foreground list-disc">Sites with Permissions-Policy: 14 of 100</li><li class="ml-4 mb-1 text-muted-foreground list-disc">Sites with CSP: 9 of 100</li><li class="ml-4 mb-1 text-muted-foreground list-disc">Sites scoring B or higher on Security Headers: 11 of 100</li><p class="mb-4 text-muted-foreground leading-relaxed">The opportunity is huge. 89% of small-business sites are running a security-headers configuration from 2018 or earlier. The fix is trivial. The default web-server stack is just not opinionated about this, and most owners never look.</p><h2 class="mt-10 mb-4 text-2xl font-bold text-foreground">The shipping checklist</h2><li class="ml-4 mb-1 text-muted-foreground list-disc">[ ] HSTS with at least `max-age=31536000; includeSubDomains` (and ideally `preload` once you're confident)</li><li class="ml-4 mb-1 text-muted-foreground list-disc">[ ] X-Content-Type-Options: nosniff (no exceptions)</li><li class="ml-4 mb-1 text-muted-foreground list-disc">[ ] X-Frame-Options: SAMEORIGIN (or CSP frame-ancestors)</li><li class="ml-4 mb-1 text-muted-foreground list-disc">[ ] Referrer-Policy: strict-origin-when-cross-origin</li><li class="ml-4 mb-1 text-muted-foreground list-disc">[ ] Permissions-Policy: disable unused features</li><li class="ml-4 mb-1 text-muted-foreground list-disc">[ ] CSP (start strict, iterate)</li><li class="ml-4 mb-1 text-muted-foreground list-disc">[ ] Re-run <a href="/tool/security-headers-grader" class="text-primary hover:underline">Security Headers Grader</a> — confirm grade A or B</li><li class="ml-4 mb-1 text-muted-foreground list-disc">[ ] Add a calendar reminder to re-audit in 6 months (browser security expectations evolve)</li><h2 class="mt-10 mb-4 text-2xl font-bold text-foreground">Corrections + audits</h2><p class="mb-4 text-muted-foreground leading-relaxed">If your site scores well on security headers and you want me to use it as an example in a follow-up article, write to <a href="mailto:info@krawly.io">info@krawly.io</a>. If you find an error in the directives above (or a 2026 update I missed), same address.</p></article><aside class="mt-12 rounded-2xl border border-border bg-card p-6 " aria-label="About the author: Enis Getmez"><div class="flex flex-col gap-5 sm:flex-row sm:items-start"><a class="shrink-0" aria-label="Author profile for Enis Getmez" href="/authors/enis-getmez"><img alt="Enis Getmez portrait" loading="lazy" width="88" height="88" decoding="async" data-nimg="1" class="h-22 w-22 rounded-full" style="color:transparent" src="/authors/enis-getmez.svg"/></a><div class="flex-1"><div class="flex items-baseline justify-between gap-3"><a class="text-lg font-semibold text-foreground no-underline hover:text-primary" href="/authors/enis-getmez">Enis Getmez</a><span class="text-xs uppercase tracking-wider text-muted-foreground">10+ years</span></div><p class="text-xs font-medium text-primary">Founder & Lead Engineer</p><p class="mt-3 text-sm leading-relaxed text-muted-foreground">Founder of Krawly. Backend and crawl-infrastructure engineer with a decade of work on web scraping, SEO automation, and data pipelines — every Krawly tool started as one of his client scripts.</p><div class="mt-4 flex flex-wrap gap-1.5"><span class="rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground">Web scraping architecture</span><span class="rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground">Technical SEO audits</span><span class="rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground">Search engine algorithms</span><span class="rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground">Headless browsers (Playwright, Puppeteer)</span><span class="rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground">Django and Python backends</span><span class="rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground">API rate limiting and abuse detection</span></div><div class="mt-4 flex flex-wrap gap-3 text-xs"><a href="https://www.linkedin.com/in/enis-getmez" rel="author noopener noreferrer" target="_blank" class="inline-flex items-center gap-1 text-muted-foreground transition-colors hover:text-primary"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-linkedin h-3.5 w-3.5" aria-hidden="true"><path d="M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z"></path><rect width="4" height="12" x="2" y="9"></rect><circle cx="4" cy="4" r="2"></circle></svg> LinkedIn</a><a href="https://github.com/enisgetmez" rel="author noopener noreferrer" target="_blank" class="inline-flex items-center gap-1 text-muted-foreground transition-colors hover:text-primary"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-github h-3.5 w-3.5" aria-hidden="true"><path d="M15 22v-4a4.8 4.8 0 0 0-1-3.5c3 0 6-2 6-5.5.08-1.25-.27-2.48-1-3.5.28-1.15.28-2.35 0-3.5 0 0-1 0-3 1.5-2.64-.5-5.36-.5-8 0C6 2 5 2 5 2c-.3 1.15-.3 2.35 0 3.5A5.403 5.403 0 0 0 4 9c0 3.5 3 5.5 6 5.5-.39.49-.68 1.05-.85 1.65-.17.6-.22 1.23-.15 1.85v4"></path><path d="M9 18c-4.51 2-5-2-7-2"></path></svg> GitHub</a><a href="mailto:info@krawly.io" class="inline-flex items-center gap-1 text-muted-foreground transition-colors hover:text-primary"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-mail h-3.5 w-3.5" aria-hidden="true"><path d="m22 7-8.991 5.727a2 2 0 0 1-2.009 0L2 7"></path><rect x="2" y="4" width="20" height="16" rx="2"></rect></svg> info@krawly.io</a><a class="inline-flex items-center gap-1 text-primary transition-colors hover:underline no-underline" href="/authors/enis-getmez">Full profile <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-external-link h-3 w-3" aria-hidden="true"><path d="M15 3h6v6"></path><path d="M10 14 21 3"></path><path d="M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6"></path></svg></a></div></div></div></aside><div class="mt-12 rounded-xl border border-primary/20 bg-primary/5 p-6 text-center"><h3 class="text-lg font-semibold text-foreground mb-2">Try All 170+ Free Tools</h3><p class="text-muted-foreground mb-4">No signup required. Start analyzing websites, scraping data, and more.</p><a class="inline-flex items-center rounded-lg bg-primary px-6 py-2.5 text-sm font-medium text-primary-foreground transition hover:bg-primary/90" href="/tools">Browse All Tools</a></div><div class="mt-16"><h2 class="text-2xl font-bold text-foreground mb-6">Related Articles</h2><div class="grid gap-4 sm:grid-cols-3"><a class="group rounded-xl border border-border bg-card p-4 transition hover:border-primary/30" href="/blog/how-to-scrape-youtube-playlist-data-free"><span class="text-xs text-primary">YouTube</span><h3 class="mt-1 text-sm font-semibold text-foreground group-hover:text-primary transition line-clamp-2">How to Scrape YouTube Playlist Data in 2026 (Free & Easy)</h3><p class="mt-1 text-xs text-muted-foreground">4 min read</p></a><a class="group rounded-xl border border-border bg-card p-4 transition hover:border-primary/30" href="/blog/find-email-addresses-from-any-website"><span class="text-xs text-primary">Lead Generation</span><h3 class="mt-1 text-sm font-semibold text-foreground group-hover:text-primary transition line-clamp-2">How to Find Email Addresses from Any Website (5 Free Methods)</h3><p class="mt-1 text-xs text-muted-foreground">5 min read</p></a><a class="group rounded-xl border border-border bg-card p-4 transition hover:border-primary/30" href="/blog/free-seo-audit-checklist-2026"><span class="text-xs text-primary">SEO</span><h3 class="mt-1 text-sm font-semibold text-foreground group-hover:text-primary transition line-clamp-2">Free SEO Audit Checklist for 2026 (With Tools)</h3><p class="mt-1 text-xs text-muted-foreground">7 min read</p></a></div></div></main><script type="application/ld+json">{"@context":"https://schema.org","@type":"Article","headline":"Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist","description":"Most websites score D or F on security headers — not because their stack is insecure but because nobody told them which headers to set. Six headers, four minutes each, A grade.","datePublished":"2026-05-22","dateModified":"2026-05-22","articleSection":"Security","keywords":"security headers, content security policy, hsts header, x-frame-options, permissions policy","wordCount":1405,"image":"https://krawly.io/blog-shots/security-headers.jpeg","author":{"@context":"https://schema.org","@type":"Person","name":"Enis Getmez","jobTitle":"Founder & Lead Engineer","description":"Founder of Krawly. Backend and crawl-infrastructure engineer with a decade of work on web scraping, SEO automation, and data pipelines — every Krawly tool started as one of his client scripts.","url":"https://krawly.io/authors/enis-getmez","image":"https://krawly.io/authors/enis-getmez.svg","sameAs":["https://www.linkedin.com/in/enis-getmez","https://github.com/enisgetmez","https://krawly.io/about"],"knowsAbout":["Web scraping architecture","Technical SEO audits","Search engine algorithms","Headless browsers (Playwright, Puppeteer)","Django and Python backends","API rate limiting and abuse detection","OSINT data sources","Schema.org structured data"],"worksFor":{"@type":"Organization","name":"Krawly.io","url":"https://krawly.io"}},"publisher":{"@type":"Organization","name":"Krawly","url":"https://krawly.io","logo":{"@type":"ImageObject","url":"https://krawly.io/krawly-logo.png"}},"mainEntityOfPage":{"@type":"WebPage","@id":"https://krawly.io/blog/security-headers-grade-from-d-to-a"}}</script><script type="application/ld+json">{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Krawly.io","item":"https://krawly.io"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://krawly.io/blog"},{"@type":"ListItem","position":3,"name":"Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist","item":"https://krawly.io/blog/security-headers-grade-from-d-to-a"}]}</script><footer class="border-t border-border bg-card/40"><div class="mx-auto max-w-7xl px-4 py-14 sm:px-6 lg:px-8"><div class="grid grid-cols-2 gap-8 md:grid-cols-5 md:gap-10"><div class="col-span-2 md:col-span-2"><div class="flex items-center gap-2 mb-3"><div class="anim-float"><svg viewBox="0 0 100 100" fill="none" xmlns="http://www.w3.org/2000/svg" class="w-8 h-8 "><ellipse cx="50" cy="55" rx="28" ry="24" fill="url(#bodyGradient)"></ellipse><ellipse cx="50" cy="50" rx="20" ry="16" fill="url(#faceGradient)"></ellipse><circle cx="40" cy="48" r="8" fill="white"></circle><circle cx="60" cy="48" r="8" fill="white"></circle><circle cx="42" cy="47" r="4" fill="#1a1a2e"></circle><circle cx="62" cy="47" r="4" fill="#1a1a2e"></circle><circle cx="43" cy="46" r="1.5" fill="white"></circle><circle cx="63" cy="46" r="1.5" fill="white"></circle><path d="M42 58 Q50 64 58 58" stroke="#1a1a2e" stroke-width="2" stroke-linecap="round" fill="none"></path><line x1="50" y1="32" x2="50" y2="22" stroke="url(#antennaGradient)" stroke-width="3" stroke-linecap="round"></line><circle cx="50" cy="18" r="5" fill="url(#antennaBallGradient)"></circle><path d="M26 50 Q18 45 12 52" stroke="url(#legGradient)" stroke-width="4" stroke-linecap="round" fill="none"></path><path d="M74 50 Q82 45 88 52" stroke="url(#legGradient)" stroke-width="4" stroke-linecap="round" fill="none"></path><path d="M24 58 Q14 60 10 68" stroke="url(#legGradient)" stroke-width="4" stroke-linecap="round" fill="none"></path><path d="M76 58 Q86 60 90 68" stroke="url(#legGradient)" stroke-width="4" stroke-linecap="round" fill="none"></path><path d="M28 70 Q20 78 14 82" stroke="url(#legGradient)" stroke-width="4" stroke-linecap="round" fill="none"></path><path d="M72 70 Q80 78 86 82" stroke="url(#legGradient)" stroke-width="4" stroke-linecap="round" fill="none"></path><defs><linearGradient id="bodyGradient" x1="22" y1="31" x2="78" y2="79" gradientUnits="userSpaceOnUse"><stop stop-color="#7c3aed"></stop><stop offset="1" stop-color="#4f46e5"></stop></linearGradient><linearGradient id="faceGradient" x1="30" y1="34" x2="70" y2="66" gradientUnits="userSpaceOnUse"><stop stop-color="#a78bfa"></stop><stop offset="1" stop-color="#8b5cf6"></stop></linearGradient><linearGradient id="antennaGradient" x1="50" y1="32" x2="50" y2="22" gradientUnits="userSpaceOnUse"><stop stop-color="#7c3aed"></stop><stop offset="1" stop-color="#4f46e5"></stop></linearGradient><linearGradient id="antennaBallGradient" x1="45" y1="13" x2="55" y2="23" gradientUnits="userSpaceOnUse"><stop stop-color="#a78bfa"></stop><stop offset="1" stop-color="#7c3aed"></stop></linearGradient><linearGradient id="legGradient" x1="10" y1="45" x2="90" y2="85" gradientUnits="userSpaceOnUse"><stop stop-color="#6366f1"></stop><stop offset="1" stop-color="#4f46e5"></stop></linearGradient></defs></svg></div><span class="text-base font-bold text-foreground">Krawly<span class="text-primary">.io</span></span></div><p class="max-w-xs text-sm leading-relaxed text-muted-foreground">Free online tools for SEO, web scraping, security, and developer workflows. No signup. 30 free uses every day.</p></div><div><h4 class="mb-4 text-sm font-semibold text-foreground">Product</h4><div class="flex flex-col gap-2.5"><a href="/tools" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">All Tools</a><a href="/blog" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">Blog</a></div></div><div><h4 class="mb-4 text-sm font-semibold text-foreground">Categories</h4><div class="flex flex-col gap-2.5"><a href="/tools/seo" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">SEO Tools</a><a href="/tools/web-scraping" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">Web Scraping</a><a href="/tools/security" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">Security</a><a href="/tools/developer" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">Developer</a><a href="/tools/e-commerce" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">E-Commerce</a><a href="/tools/image" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">Image</a></div></div><div><h4 class="mb-4 text-sm font-semibold text-foreground">Company</h4><div class="flex flex-col gap-2.5"><a href="/about" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">About</a><a href="/authors" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">Authors</a><a href="/editorial-guidelines" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">Editorial Guidelines</a><a href="/methodology" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">Methodology</a><a href="/contact" class="text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline">Contact</a></div></div></div><div class="mt-12 flex flex-col items-center justify-between gap-4 border-t border-border pt-6 md:flex-row"><p class="text-xs text-muted-foreground">© 2026 Krawly.io — All rights reserved.</p><div class="flex flex-wrap items-center justify-center gap-x-5 gap-y-2"><a href="/privacy" class="text-xs text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:underline">Privacy Policy</a><a href="/terms" class="text-xs text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:underline">Terms of Service</a><a href="/cookies" class="text-xs text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:underline">Cookie Policy</a><a href="/refund" class="text-xs text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:underline">Refund Policy</a></div></div></div></footer><script src="/_next/static/chunks/88e89063bacdf74d.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\nd:I[68027,[],\"default\"]\n:HL[\"/_next/static/chunks/f7946d9974ef264a.css\",\"style\"]\n:HL[\"/_next/static/chunks/f5802bc14b73fab3.css\",\"style\"]\n:HL[\"/_next/static/media/83afe278b6a6bb3c-s.p.3a6ba036.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n:HL[\"/_next/static/media/a343f882a40d2cc9-s.p.71e1367e.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n2:T481c,"])</script><script>self.__next_f.push([1,"{\"@context\":\"https://schema.org\",\"@type\":\"ItemList\",\"name\":\"Krawly.io Free Online Tools\",\"description\":\"158+ free web scraping, SEO, and analysis tools.\",\"numberOfItems\":158,\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"YouTube Playlist Descriptions\",\"url\":\"https://krawly.io/tool/youtube-playlist\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"YouTube Comments\",\"url\":\"https://krawly.io/tool/youtube-comments\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Lead Generation\",\"url\":\"https://krawly.io/tool/lead-generation\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technology Detector\",\"url\":\"https://krawly.io/tool/tech-detector\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"SEO Analyzer\",\"url\":\"https://krawly.io/tool/seo-analyzer\"},{\"@type\":\"ListItem\",\"position\":6,\"name\":\"Screenshot Capture\",\"url\":\"https://krawly.io/tool/screenshot\"},{\"@type\":\"ListItem\",\"position\":7,\"name\":\"YouTube Subtitle Extractor\",\"url\":\"https://krawly.io/tool/youtube-subtitles\"},{\"@type\":\"ListItem\",\"position\":8,\"name\":\"YouTube Thumbnail Extractor\",\"url\":\"https://krawly.io/tool/youtube-thumbnails\"},{\"@type\":\"ListItem\",\"position\":9,\"name\":\"Table Extractor\",\"url\":\"https://krawly.io/tool/table-extractor\"},{\"@type\":\"ListItem\",\"position\":10,\"name\":\"Keyword Density Analyzer\",\"url\":\"https://krawly.io/tool/keyword-density\"},{\"@type\":\"ListItem\",\"position\":11,\"name\":\"SSL Certificate Checker\",\"url\":\"https://krawly.io/tool/ssl-checker\"},{\"@type\":\"ListItem\",\"position\":12,\"name\":\"Sitemap Extractor\",\"url\":\"https://krawly.io/tool/sitemap-extractor\"},{\"@type\":\"ListItem\",\"position\":13,\"name\":\"Content Extractor\",\"url\":\"https://krawly.io/tool/content-extractor\"},{\"@type\":\"ListItem\",\"position\":14,\"name\":\"Google Ads Scraper\",\"url\":\"https://krawly.io/tool/google-ads\"},{\"@type\":\"ListItem\",\"position\":15,\"name\":\"DNS / WHOIS Lookup\",\"url\":\"https://krawly.io/tool/dns-whois\"},{\"@type\":\"ListItem\",\"position\":16,\"name\":\"HTTP Headers Analyzer\",\"url\":\"https://krawly.io/tool/http-headers\"},{\"@type\":\"ListItem\",\"position\":17,\"name\":\"robots.txt Analyzer\",\"url\":\"https://krawly.io/tool/robots-txt\"},{\"@type\":\"ListItem\",\"position\":18,\"name\":\"Website PDF Converter\",\"url\":\"https://krawly.io/tool/pdf-converter\"},{\"@type\":\"ListItem\",\"position\":19,\"name\":\"RSS Feed Finder\",\"url\":\"https://krawly.io/tool/rss-finder\"},{\"@type\":\"ListItem\",\"position\":20,\"name\":\"Amazon Product Scraper\",\"url\":\"https://krawly.io/tool/amazon-scraper\"},{\"@type\":\"ListItem\",\"position\":21,\"name\":\"Shopify Store Scraper\",\"url\":\"https://krawly.io/tool/shopify-scraper\"},{\"@type\":\"ListItem\",\"position\":22,\"name\":\"Accessibility Checker\",\"url\":\"https://krawly.io/tool/accessibility-checker\"},{\"@type\":\"ListItem\",\"position\":23,\"name\":\"Page Speed Analyzer\",\"url\":\"https://krawly.io/tool/page-speed-analyzer\"},{\"@type\":\"ListItem\",\"position\":24,\"name\":\"Email Validator\",\"url\":\"https://krawly.io/tool/email-validator\"},{\"@type\":\"ListItem\",\"position\":25,\"name\":\"Broken Link Checker\",\"url\":\"https://krawly.io/tool/broken-link-checker\"},{\"@type\":\"ListItem\",\"position\":26,\"name\":\"Social Media Finder\",\"url\":\"https://krawly.io/tool/social-media-finder\"},{\"@type\":\"ListItem\",\"position\":27,\"name\":\"DMARC / SPF / DKIM Checker\",\"url\":\"https://krawly.io/tool/dmarc-checker\"},{\"@type\":\"ListItem\",\"position\":28,\"name\":\"Open Graph Preview\",\"url\":\"https://krawly.io/tool/open-graph-preview\"},{\"@type\":\"ListItem\",\"position\":29,\"name\":\"Favicon Extractor\",\"url\":\"https://krawly.io/tool/favicon-extractor\"},{\"@type\":\"ListItem\",\"position\":30,\"name\":\"Redirect Checker\",\"url\":\"https://krawly.io/tool/redirect-checker\"},{\"@type\":\"ListItem\",\"position\":31,\"name\":\"Color Palette Extractor\",\"url\":\"https://krawly.io/tool/color-palette-extractor\"},{\"@type\":\"ListItem\",\"position\":32,\"name\":\"Product Data Extractor\",\"url\":\"https://krawly.io/tool/product-data-extractor\"},{\"@type\":\"ListItem\",\"position\":33,\"name\":\"Internal Link Mapper\",\"url\":\"https://krawly.io/tool/internal-link-mapper\"},{\"@type\":\"ListItem\",\"position\":34,\"name\":\"Canonical \u0026 Indexability Checker\",\"url\":\"https://krawly.io/tool/canonical-checker\"},{\"@type\":\"ListItem\",\"position\":35,\"name\":\"E-commerce Variant Extractor\",\"url\":\"https://krawly.io/tool/variant-extractor\"},{\"@type\":\"ListItem\",\"position\":36,\"name\":\"Review Summary Extractor\",\"url\":\"https://krawly.io/tool/review-extractor\"},{\"@type\":\"ListItem\",\"position\":37,\"name\":\"Change Monitor Lite\",\"url\":\"https://krawly.io/tool/change-monitor\"},{\"@type\":\"ListItem\",\"position\":38,\"name\":\"Email Footprint Finder\",\"url\":\"https://krawly.io/tool/email-footprint\"},{\"@type\":\"ListItem\",\"position\":39,\"name\":\"Website Owner Finder\",\"url\":\"https://krawly.io/tool/website-owner\"},{\"@type\":\"ListItem\",\"position\":40,\"name\":\"JSON Formatter \u0026 Validator\",\"url\":\"https://krawly.io/tool/json-formatter\"},{\"@type\":\"ListItem\",\"position\":41,\"name\":\"Regex Tester\",\"url\":\"https://krawly.io/tool/regex-tester\"},{\"@type\":\"ListItem\",\"position\":42,\"name\":\"JWT Decoder\",\"url\":\"https://krawly.io/tool/jwt-decoder\"},{\"@type\":\"ListItem\",\"position\":43,\"name\":\"URL Encoder / Decoder\",\"url\":\"https://krawly.io/tool/url-encoder\"},{\"@type\":\"ListItem\",\"position\":44,\"name\":\"Base64 Encoder / Decoder\",\"url\":\"https://krawly.io/tool/base64-tool\"},{\"@type\":\"ListItem\",\"position\":45,\"name\":\"Hash Generator\",\"url\":\"https://krawly.io/tool/hash-generator\"},{\"@type\":\"ListItem\",\"position\":46,\"name\":\"User Agent Parser\",\"url\":\"https://krawly.io/tool/user-agent-parser\"},{\"@type\":\"ListItem\",\"position\":47,\"name\":\"Cron Expression Explainer\",\"url\":\"https://krawly.io/tool/cron-explainer\"},{\"@type\":\"ListItem\",\"position\":48,\"name\":\"Color Code Converter\",\"url\":\"https://krawly.io/tool/color-converter\"},{\"@type\":\"ListItem\",\"position\":49,\"name\":\"Markdown to HTML\",\"url\":\"https://krawly.io/tool/markdown-to-html\"},{\"@type\":\"ListItem\",\"position\":50,\"name\":\"HTML to Markdown\",\"url\":\"https://krawly.io/tool/html-to-markdown\"},{\"@type\":\"ListItem\",\"position\":51,\"name\":\"UUID / ULID Generator\",\"url\":\"https://krawly.io/tool/uuid-generator\"},{\"@type\":\"ListItem\",\"position\":52,\"name\":\"YAML ↔ JSON Converter\",\"url\":\"https://krawly.io/tool/yaml-json-converter\"},{\"@type\":\"ListItem\",\"position\":53,\"name\":\"Timestamp Converter\",\"url\":\"https://krawly.io/tool/timestamp-converter\"},{\"@type\":\"ListItem\",\"position\":54,\"name\":\"Meta Tag Validator\",\"url\":\"https://krawly.io/tool/meta-tag-validator\"},{\"@type\":\"ListItem\",\"position\":55,\"name\":\"SERP Preview Generator\",\"url\":\"https://krawly.io/tool/serp-preview\"},{\"@type\":\"ListItem\",\"position\":56,\"name\":\"Heading Structure Analyzer\",\"url\":\"https://krawly.io/tool/heading-analyzer\"},{\"@type\":\"ListItem\",\"position\":57,\"name\":\"Word \u0026 Readability Counter\",\"url\":\"https://krawly.io/tool/word-readability\"},{\"@type\":\"ListItem\",\"position\":58,\"name\":\"Anchor Text Analyzer\",\"url\":\"https://krawly.io/tool/anchor-text-analyzer\"},{\"@type\":\"ListItem\",\"position\":59,\"name\":\"Title \u0026 Description Checker\",\"url\":\"https://krawly.io/tool/title-desc-checker\"},{\"@type\":\"ListItem\",\"position\":60,\"name\":\"Robots.txt Tester\",\"url\":\"https://krawly.io/tool/robots-txt-tester\"},{\"@type\":\"ListItem\",\"position\":61,\"name\":\"Canonical Conflict Detector\",\"url\":\"https://krawly.io/tool/canonical-conflict\"},{\"@type\":\"ListItem\",\"position\":62,\"name\":\"JSON-LD Extractor\",\"url\":\"https://krawly.io/tool/json-ld-extractor\"},{\"@type\":\"ListItem\",\"position\":63,\"name\":\"Form Field Extractor\",\"url\":\"https://krawly.io/tool/form-field-extractor\"},{\"@type\":\"ListItem\",\"position\":64,\"name\":\"Link Extractor\",\"url\":\"https://krawly.io/tool/link-extractor\"},{\"@type\":\"ListItem\",\"position\":65,\"name\":\"CSS Selector Scraper\",\"url\":\"https://krawly.io/tool/css-selector-scraper\"},{\"@type\":\"ListItem\",\"position\":66,\"name\":\"Table of Contents Generator\",\"url\":\"https://krawly.io/tool/toc-generator\"},{\"@type\":\"ListItem\",\"position\":67,\"name\":\"Iframe \u0026 Embed Detector\",\"url\":\"https://krawly.io/tool/iframe-embed-detector\"},{\"@type\":\"ListItem\",\"position\":68,\"name\":\"Webpage Metadata Extractor\",\"url\":\"https://krawly.io/tool/webpage-metadata-extractor\"},{\"@type\":\"ListItem\",\"position\":69,\"name\":\"Domain Age Checker\",\"url\":\"https://krawly.io/tool/domain-age-checker\"},{\"@type\":\"ListItem\",\"position\":70,\"name\":\"Website Status Checker\",\"url\":\"https://krawly.io/tool/website-status-checker\"},{\"@type\":\"ListItem\",\"position\":71,\"name\":\"Domain Availability Checker\",\"url\":\"https://krawly.io/tool/domain-availability\"},{\"@type\":\"ListItem\",\"position\":72,\"name\":\"Mixed Content Checker\",\"url\":\"https://krawly.io/tool/mixed-content-checker\"},{\"@type\":\"ListItem\",\"position\":73,\"name\":\"CSP Analyzer\",\"url\":\"https://krawly.io/tool/csp-analyzer\"},{\"@type\":\"ListItem\",\"position\":74,\"name\":\"Cookie Compliance Checker\",\"url\":\"https://krawly.io/tool/cookie-compliance\"},{\"@type\":\"ListItem\",\"position\":75,\"name\":\"CORS Misconfiguration Checker\",\"url\":\"https://krawly.io/tool/cors-checker\"},{\"@type\":\"ListItem\",\"position\":76,\"name\":\"Clickjacking Checker\",\"url\":\"https://krawly.io/tool/clickjacking-checker\"},{\"@type\":\"ListItem\",\"position\":77,\"name\":\"Product Schema Generator\",\"url\":\"https://krawly.io/tool/product-schema-generator\"},{\"@type\":\"ListItem\",\"position\":78,\"name\":\"FAQ Schema Generator\",\"url\":\"https://krawly.io/tool/faq-schema-generator\"},{\"@type\":\"ListItem\",\"position\":79,\"name\":\"Breadcrumb Schema Generator\",\"url\":\"https://krawly.io/tool/breadcrumb-schema-generator\"},{\"@type\":\"ListItem\",\"position\":80,\"name\":\"QR Code Generator\",\"url\":\"https://krawly.io/tool/qr-code-generator\"},{\"@type\":\"ListItem\",\"position\":81,\"name\":\"WhatsApp Link Generator\",\"url\":\"https://krawly.io/tool/whatsapp-link-generator\"},{\"@type\":\"ListItem\",\"position\":82,\"name\":\"URL Shortener Expander\",\"url\":\"https://krawly.io/tool/url-shortener-expander\"},{\"@type\":\"ListItem\",\"position\":83,\"name\":\"Hreflang Tag Validator\",\"url\":\"https://krawly.io/tool/hreflang-validator\"},{\"@type\":\"ListItem\",\"position\":84,\"name\":\"Structured Data Validator\",\"url\":\"https://krawly.io/tool/structured-data-validator\"},{\"@type\":\"ListItem\",\"position\":85,\"name\":\"Sitemap Health Checker\",\"url\":\"https://krawly.io/tool/sitemap-health-checker\"},{\"@type\":\"ListItem\",\"position\":86,\"name\":\"Image SEO Checker\",\"url\":\"https://krawly.io/tool/image-seo-checker\"},{\"@type\":\"ListItem\",\"position\":87,\"name\":\"Mobile Friendliness Checker\",\"url\":\"https://krawly.io/tool/mobile-friendliness-checker\"},{\"@type\":\"ListItem\",\"position\":88,\"name\":\"Email Address Scraper\",\"url\":\"https://krawly.io/tool/email-scraper\"},{\"@type\":\"ListItem\",\"position\":89,\"name\":\"Phone Number Scraper\",\"url\":\"https://krawly.io/tool/phone-scraper\"},{\"@type\":\"ListItem\",\"position\":90,\"name\":\"PDF Text Extractor\",\"url\":\"https://krawly.io/tool/pdf-text-extractor\"},{\"@type\":\"ListItem\",\"position\":91,\"name\":\"Webpage Text Diff\",\"url\":\"https://krawly.io/tool/webpage-diff\"},{\"@type\":\"ListItem\",\"position\":92,\"name\":\"XPath Selector Scraper\",\"url\":\"https://krawly.io/tool/xpath-scraper\"},{\"@type\":\"ListItem\",\"position\":93,\"name\":\"Open Directory Finder\",\"url\":\"https://krawly.io/tool/open-directory-finder\"},{\"@type\":\"ListItem\",\"position\":94,\"name\":\"Source Code Viewer\",\"url\":\"https://krawly.io/tool/source-code-viewer\"},{\"@type\":\"ListItem\",\"position\":95,\"name\":\"Website Language Detector\",\"url\":\"https://krawly.io/tool/language-detector\"},{\"@type\":\"ListItem\",\"position\":96,\"name\":\"IP Geolocation Lookup\",\"url\":\"https://krawly.io/tool/ip-geolocation\"},{\"@type\":\"ListItem\",\"position\":97,\"name\":\"Reverse IP Lookup\",\"url\":\"https://krawly.io/tool/reverse-ip-lookup\"},{\"@type\":\"ListItem\",\"position\":98,\"name\":\"Website Hosting Detector\",\"url\":\"https://krawly.io/tool/hosting-detector\"},{\"@type\":\"ListItem\",\"position\":99,\"name\":\"HTTP Security Headers Grader\",\"url\":\"https://krawly.io/tool/security-headers-grader\"},{\"@type\":\"ListItem\",\"position\":100,\"name\":\"DNS Propagation Checker\",\"url\":\"https://krawly.io/tool/dns-propagation\"},{\"@type\":\"ListItem\",\"position\":101,\"name\":\"Username Availability Checker\",\"url\":\"https://krawly.io/tool/username-checker\"},{\"@type\":\"ListItem\",\"position\":102,\"name\":\"Certificate Transparency Search\",\"url\":\"https://krawly.io/tool/ct-log-search\"},{\"@type\":\"ListItem\",\"position\":103,\"name\":\"ASN / Network Lookup\",\"url\":\"https://krawly.io/tool/asn-lookup\"},{\"@type\":\"ListItem\",\"position\":104,\"name\":\"Open Redirect Checker\",\"url\":\"https://krawly.io/tool/open-redirect-checker\"},{\"@type\":\"ListItem\",\"position\":105,\"name\":\"Email Header Analyzer\",\"url\":\"https://krawly.io/tool/email-header-analyzer\"},{\"@type\":\"ListItem\",\"position\":106,\"name\":\"Keyword Suggestion Tool\",\"url\":\"https://krawly.io/tool/keyword-suggestion\"},{\"@type\":\"ListItem\",\"position\":107,\"name\":\"Readability Score Calculator\",\"url\":\"https://krawly.io/tool/readability-score\"},{\"@type\":\"ListItem\",\"position\":108,\"name\":\"Word Counter\",\"url\":\"https://krawly.io/tool/word-counter\"},{\"@type\":\"ListItem\",\"position\":109,\"name\":\"WooCommerce Store Scraper\",\"url\":\"https://krawly.io/tool/woocommerce-scraper\"},{\"@type\":\"ListItem\",\"position\":110,\"name\":\"Barcode / UPC Lookup\",\"url\":\"https://krawly.io/tool/barcode-lookup\"},{\"@type\":\"ListItem\",\"position\":111,\"name\":\"E-commerce Platform Detector\",\"url\":\"https://krawly.io/tool/ecommerce-detector\"},{\"@type\":\"ListItem\",\"position\":112,\"name\":\"API Response Viewer\",\"url\":\"https://krawly.io/tool/api-response-viewer\"},{\"@type\":\"ListItem\",\"position\":113,\"name\":\"Website Comparison\",\"url\":\"https://krawly.io/tool/website-comparison\"},{\"@type\":\"ListItem\",\"position\":114,\"name\":\"YouTube Video Statistics\",\"url\":\"https://krawly.io/tool/youtube-stats\"},{\"@type\":\"ListItem\",\"position\":115,\"name\":\"YouTube Tags Extractor\",\"url\":\"https://krawly.io/tool/youtube-tags\"},{\"@type\":\"ListItem\",\"position\":116,\"name\":\"GitHub Repository Analyzer\",\"url\":\"https://krawly.io/tool/github-repo-analyzer\"},{\"@type\":\"ListItem\",\"position\":117,\"name\":\"GitHub Profile Analyzer\",\"url\":\"https://krawly.io/tool/github-profile-analyzer\"},{\"@type\":\"ListItem\",\"position\":118,\"name\":\"NPM Package Analyzer\",\"url\":\"https://krawly.io/tool/npm-analyzer\"},{\"@type\":\"ListItem\",\"position\":119,\"name\":\"PyPI Package Analyzer\",\"url\":\"https://krawly.io/tool/pypi-analyzer\"},{\"@type\":\"ListItem\",\"position\":120,\"name\":\"Docker Image Analyzer\",\"url\":\"https://krawly.io/tool/docker-analyzer\"},{\"@type\":\"ListItem\",\"position\":121,\"name\":\"Domain Suggestion Generator\",\"url\":\"https://krawly.io/tool/domain-suggestion\"},{\"@type\":\"ListItem\",\"position\":122,\"name\":\"Podcast RSS Analyzer\",\"url\":\"https://krawly.io/tool/podcast-rss-analyzer\"},{\"@type\":\"ListItem\",\"position\":123,\"name\":\"Website Carbon Footprint\",\"url\":\"https://krawly.io/tool/website-carbon-footprint\"},{\"@type\":\"ListItem\",\"position\":124,\"name\":\"Performance Budget Checker\",\"url\":\"https://krawly.io/tool/performance-budget-checker\"},{\"@type\":\"ListItem\",\"position\":125,\"name\":\"Third-Party Script Tracker\",\"url\":\"https://krawly.io/tool/third-party-script-tracker\"},{\"@type\":\"ListItem\",\"position\":126,\"name\":\"Website Stack Summary\",\"url\":\"https://krawly.io/tool/website-stack-summary\"},{\"@type\":\"ListItem\",\"position\":127,\"name\":\"Ad Network Detector\",\"url\":\"https://krawly.io/tool/ad-network-detector\"},{\"@type\":\"ListItem\",\"position\":128,\"name\":\"CDN Detector\",\"url\":\"https://krawly.io/tool/cdn-detector\"},{\"@type\":\"ListItem\",\"position\":129,\"name\":\"Contact Page Finder\",\"url\":\"https://krawly.io/tool/contact-page-finder\"},{\"@type\":\"ListItem\",\"position\":130,\"name\":\"JS Framework Detector\",\"url\":\"https://krawly.io/tool/js-framework-detector\"},{\"@type\":\"ListItem\",\"position\":131,\"name\":\"Page Resource Analyzer\",\"url\":\"https://krawly.io/tool/page-resource-analyzer\"},{\"@type\":\"ListItem\",\"position\":132,\"name\":\"WordPress Plugin Detector\",\"url\":\"https://krawly.io/tool/wordpress-plugin-detector\"},{\"@type\":\"ListItem\",\"position\":133,\"name\":\"DNS Record Checker\",\"url\":\"https://krawly.io/tool/dns-record-checker\"},{\"@type\":\"ListItem\",\"position\":134,\"name\":\"CMS Version Detector\",\"url\":\"https://krawly.io/tool/cms-version-detector\"},{\"@type\":\"ListItem\",\"position\":135,\"name\":\"Core Web Vitals Estimator\",\"url\":\"https://krawly.io/tool/core-web-vitals\"},{\"@type\":\"ListItem\",\"position\":136,\"name\":\"Orphan Page Finder\",\"url\":\"https://krawly.io/tool/orphan-page-finder\"},{\"@type\":\"ListItem\",\"position\":137,\"name\":\"TLS/SSL Cipher Suite Analyzer\",\"url\":\"https://krawly.io/tool/tls-cipher-analyzer\"},{\"@type\":\"ListItem\",\"position\":138,\"name\":\"Email Breach Checker\",\"url\":\"https://krawly.io/tool/email-breach-checker\"},{\"@type\":\"ListItem\",\"position\":139,\"name\":\"Word Cloud Generator\",\"url\":\"https://krawly.io/tool/word-cloud-generator\"},{\"@type\":\"ListItem\",\"position\":140,\"name\":\"Responsive Design Tester\",\"url\":\"https://krawly.io/tool/responsive-tester\"},{\"@type\":\"ListItem\",\"position\":141,\"name\":\"Website Map Generator\",\"url\":\"https://krawly.io/tool/site-map-generator\"},{\"@type\":\"ListItem\",\"position\":142,\"name\":\"Engagement Rate Calculator\",\"url\":\"https://krawly.io/tool/engagement-rate-calculator\"},{\"@type\":\"ListItem\",\"position\":143,\"name\":\"Social Media Character Counter\",\"url\":\"https://krawly.io/tool/character-counter\"},{\"@type\":\"ListItem\",\"position\":144,\"name\":\"Social Media Post Formatter\",\"url\":\"https://krawly.io/tool/post-formatter\"},{\"@type\":\"ListItem\",\"position\":145,\"name\":\"Hashtag Generator\",\"url\":\"https://krawly.io/tool/hashtag-generator\"},{\"@type\":\"ListItem\",\"position\":146,\"name\":\"YouTube Shorts Analyzer\",\"url\":\"https://krawly.io/tool/youtube-shorts-analyzer\"},{\"@type\":\"ListItem\",\"position\":147,\"name\":\"Background Remover\",\"url\":\"https://krawly.io/tool/background-remover\"},{\"@type\":\"ListItem\",\"position\":148,\"name\":\"Image Compressor\",\"url\":\"https://krawly.io/tool/image-compressor\"},{\"@type\":\"ListItem\",\"position\":149,\"name\":\"Image Converter\",\"url\":\"https://krawly.io/tool/image-converter\"},{\"@type\":\"ListItem\",\"position\":150,\"name\":\"Image Resizer\",\"url\":\"https://krawly.io/tool/image-resizer\"},{\"@type\":\"ListItem\",\"position\":151,\"name\":\"Image Enhancer\",\"url\":\"https://krawly.io/tool/image-enhancer\"},{\"@type\":\"ListItem\",\"position\":152,\"name\":\"Password Generator\",\"url\":\"https://krawly.io/tool/password-generator\"},{\"@type\":\"ListItem\",\"position\":153,\"name\":\"Lorem Ipsum Generator\",\"url\":\"https://krawly.io/tool/lorem-ipsum-generator\"},{\"@type\":\"ListItem\",\"position\":154,\"name\":\"Wayback Machine Checker\",\"url\":\"https://krawly.io/tool/wayback-checker\"},{\"@type\":\"ListItem\",\"position\":155,\"name\":\"HTML Entity Encoder / Decoder\",\"url\":\"https://krawly.io/tool/html-entity-converter\"},{\"@type\":\"ListItem\",\"position\":156,\"name\":\"Text Case Converter\",\"url\":\"https://krawly.io/tool/text-case-converter\"},{\"@type\":\"ListItem\",\"position\":157,\"name\":\"URL Slug Generator\",\"url\":\"https://krawly.io/tool/slug-generator\"},{\"@type\":\"ListItem\",\"position\":158,\"name\":\"YouTube Video Downloader\",\"url\":\"https://krawly.io/tool/youtube-video-downloader\"}]}"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"b\":\"pS98H9ngMsuxPNUh4lvJJ\",\"c\":[\"\",\"blog\",\"security-headers-grade-from-d-to-a\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"blog\",{\"children\":[[\"slug\",\"security-headers-grade-from-d-to-a\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],[[\"$\",\"$1\",\"c\",{\"children\":[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/f7946d9974ef264a.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/f5802bc14b73fab3.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/1d68b12dc707e7d8.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/b7605876daa87b88.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-2\",{\"src\":\"/_next/static/chunks/15be890a12557bf3.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[[\"$\",\"link\",null,{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"sizes\":\"any\"}],[\"$\",\"link\",null,{\"rel\":\"icon\",\"href\":\"/icon.svg\",\"type\":\"image/svg+xml\"}],[\"$\",\"link\",null,{\"rel\":\"apple-touch-icon\",\"href\":\"/apple-touch-icon.png\"}],[\"$\",\"script\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"(function(){try{var u=new URL(location.href);var r=u.searchParams.get('ref');if(r)localStorage.setItem('krawly_ref',r)}catch(e){}})()\"}}],[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"Organization\\\",\\\"name\\\":\\\"Krawly.io\\\",\\\"url\\\":\\\"https://krawly.io\\\",\\\"logo\\\":\\\"https://krawly.io/icon.svg\\\",\\\"description\\\":\\\"Free online web scraping, SEO analysis \u0026 OSINT tools. 160+ tools for developers, marketers, and researchers. No signup required.\\\",\\\"contactPoint\\\":{\\\"@type\\\":\\\"ContactPoint\\\",\\\"email\\\":\\\"info@krawly.io\\\",\\\"contactType\\\":\\\"customer support\\\"}}\"}}],[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"WebApplication\\\",\\\"name\\\":\\\"Krawly.io\\\",\\\"url\\\":\\\"https://krawly.io\\\",\\\"applicationCategory\\\":\\\"WebApplication\\\",\\\"operatingSystem\\\":\\\"All\\\",\\\"description\\\":\\\"Free online web scraping tools: YouTube scraper, SEO analyzer, lead generation, technology detector, Google Ads scraper, and 150+ more. No signup required.\\\",\\\"offers\\\":{\\\"@type\\\":\\\"Offer\\\",\\\"price\\\":\\\"0\\\",\\\"priceCurrency\\\":\\\"USD\\\",\\\"availability\\\":\\\"https://schema.org/InStock\\\",\\\"description\\\":\\\"100% free: 30 uses per day without signup. No credit card required.\\\"},\\\"featureList\\\":\\\"YouTube Scraper, SEO Analyzer, Lead Generation, Technology Detector, Screenshot Capture, Google Ads Scraper, SSL Checker, Subdomain Finder, Sitemap Extractor, Content Extractor, Table Extractor, Keyword Density Analyzer, Amazon Scraper, DNS/WHOIS Lookup, Port Scanner, Email Verifier, Backlink Analyzer, Page Speed Analyzer, JSON Formatter, Social Media Finder, Broken Link Checker, Responsive Tester, and 130+ more\\\"}\"}}],[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"$2\"}}],\"$L3\",\"$L4\",\"$L5\",\"$L6\",\"$L7\"]}],\"$L8\"]}]]}],{\"children\":[\"$L9\",{\"children\":[\"$La\",{\"children\":[\"$Lb\",{},null,false,false]},null,false,false]},null,false,false]},null,false,false],\"$Lc\",false]],\"m\":\"$undefined\",\"G\":[\"$d\",[]],\"S\":true}\n"])</script><script>self.__next_f.push([1,"f:I[79520,[\"/_next/static/chunks/1d68b12dc707e7d8.js\",\"/_next/static/chunks/b7605876daa87b88.js\",\"/_next/static/chunks/15be890a12557bf3.js\"],\"\"]\n10:I[94433,[\"/_next/static/chunks/1d68b12dc707e7d8.js\",\"/_next/static/chunks/b7605876daa87b88.js\",\"/_next/static/chunks/15be890a12557bf3.js\"],\"AuthProvider\"]\n11:I[39756,[\"/_next/static/chunks/ff1a16fafef87110.js\",\"/_next/static/chunks/d2be314c3ece3fbe.js\"],\"default\"]\n12:I[37457,[\"/_next/static/chunks/ff1a16fafef87110.js\",\"/_next/static/chunks/d2be314c3ece3fbe.js\"],\"default\"]\n13:I[81888,[\"/_next/static/chunks/1d68b12dc707e7d8.js\",\"/_next/static/chunks/b7605876daa87b88.js\",\"/_next/static/chunks/15be890a12557bf3.js\"],\"CookieConsent\"]\n14:I[98589,[\"/_next/static/chunks/1d68b12dc707e7d8.js\",\"/_next/static/chunks/b7605876daa87b88.js\",\"/_next/static/chunks/15be890a12557bf3.js\"],\"default\"]\n16:I[97367,[\"/_next/static/chunks/ff1a16fafef87110.js\",\"/_next/static/chunks/d2be314c3ece3fbe.js\"],\"OutletBoundary\"]\n17:\"$Sreact.suspense\"\n19:I[97367,[\"/_next/static/chunks/ff1a16fafef87110.js\",\"/_next/static/chunks/d2be314c3ece3fbe.js\"],\"ViewportBoundary\"]\n1b:I[97367,[\"/_next/static/chunks/ff1a16fafef87110.js\",\"/_next/static/chunks/d2be314c3ece3fbe.js\"],\"MetadataBoundary\"]\n3:[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"WebSite\\\",\\\"name\\\":\\\"Krawly.io\\\",\\\"url\\\":\\\"https://krawly.io\\\",\\\"description\\\":\\\"Free online platform with 160+ web scraping, SEO analysis, security audit, and developer tools. No signup required.\\\",\\\"potentialAction\\\":{\\\"@type\\\":\\\"SearchAction\\\",\\\"target\\\":{\\\"@type\\\":\\\"EntryPoint\\\",\\\"urlTemplate\\\":\\\"https://krawly.io/tools?q={search_term_string}\\\"},\\\"query-input\\\":\\\"required name=search_term_string\\\"}}\"}}]\ne:Tc75,"])</script><script>self.__next_f.push([1,"{\"@context\":\"https://schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"What is Krawly.io?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Krawly.io is a free online platform that provides 160+ web scraping, SEO analysis, security auditing, and developer tools. It allows users to extract data from websites, analyze SEO performance, check security headers, detect technologies, scrape YouTube data, generate leads, and much more — all without requiring signup or installation.\"}},{\"@type\":\"Question\",\"name\":\"Is Krawly free to use?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes! Krawly is completely free. You get 30 free uses per day without signing up. No credit card required.\"}},{\"@type\":\"Question\",\"name\":\"Do I need to install anything?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"No installation needed. All 160+ tools run directly in your browser with no downloads or setup required. There is also a REST API and a Chrome extension for advanced users.\"}},{\"@type\":\"Question\",\"name\":\"What data formats can I export?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"All tools support JSON, CSV, and Excel (XLS) export. The screenshot tool provides PNG images. API responses are in JSON format.\"}},{\"@type\":\"Question\",\"name\":\"How does the Krawly API work?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Krawly is a free web-based platform. All 160+ tools are available directly in your browser with no signup required. You get 30 free uses per day.\"}},{\"@type\":\"Question\",\"name\":\"What types of tools does Krawly offer?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Krawly offers tools in 11 categories: SEO (meta tag validator, heading analyzer, keyword density, core web vitals), Web Scraping (email scraper, table extractor, CSS selector scraper), Security (SSL checker, port scanner, WordPress scanner), OSINT (DNS lookup, WHOIS, IP geolocation), E-Commerce (Amazon scraper, Shopify scraper, price tracker), YouTube (comments scraper, playlist extractor, thumbnail downloader), Developer (JSON formatter, regex tester, JWT decoder), Content (word counter, readability score), Analysis (technology detector, page speed analyzer), Social Media (TikTok analyzer, Instagram analyzer), and Utilities (QR code generator, URL shortener).\"}},{\"@type\":\"Question\",\"name\":\"Is Krawly a good alternative to SEMrush, Ahrefs, or BuiltWith?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Krawly provides many of the same on-page SEO analysis features as SEMrush and Ahrefs for free, including meta tag validation, heading analysis, keyword density checking, and structured data auditing. For technology detection, it serves as a free alternative to BuiltWith and Wappalyzer. However, Krawly focuses on individual page analysis rather than domain-wide crawling or backlink databases.\"}},{\"@type\":\"Question\",\"name\":\"Can I use Krawly for lead generation?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. Krawly's Lead Generation tool automatically crawls a website's homepage, about, contact, and team pages to extract email addresses, phone numbers, LinkedIn profiles, Twitter handles, Facebook pages, Instagram accounts, and GitHub links. Results can be exported as JSON, CSV, or Excel.\"}}]}"])</script><script>self.__next_f.push([1,"4:[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"$e\"}}]\n5:[\"$\",\"script\",null,{\"async\":true,\"src\":\"https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-1791375475270729\",\"crossOrigin\":\"anonymous\"}]\n6:[\"$\",\"$Lf\",null,{\"src\":\"https://www.googletagmanager.com/gtag/js?id=G-7ZRGYYXN1P\",\"strategy\":\"lazyOnload\"}]\n7:[\"$\",\"$Lf\",null,{\"id\":\"gtag-init\",\"strategy\":\"lazyOnload\",\"children\":\"\\n window.dataLayer = window.dataLayer || [];\\n function gtag(){dataLayer.push(arguments);}\\n gtag('js', new Date());\\n gtag('config', 'G-7ZRGYYXN1P');\\n \"}]\n"])</script><script>self.__next_f.push([1,"8:[\"$\",\"body\",null,{\"className\":\"inter_c15e96cb-module__0bjUvq__variable manrope_9b24f49e-module__hJlnFq__variable font-sans antialiased\",\"children\":[[\"$\",\"$L10\",null,{\"children\":[\"$\",\"$L11\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L12\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"padding\":\"0 23px 0 0\",\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\",\"lineHeight\":\"49px\"},\"children\":404}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"49px\",\"margin\":0},\"children\":\"This page could not be found.\"}]}]]}]}]],[]],\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]}],[\"$\",\"$L13\",null,{}],[\"$\",\"$L14\",null,{}]]}]\n"])</script><script>self.__next_f.push([1,"9:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L11\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L12\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\na:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L11\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L12\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\nb:[\"$\",\"$1\",\"c\",{\"children\":[\"$L15\",[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/8f0838124ad8c43a.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/f8a8c170eda5676d.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L16\",null,{\"children\":[\"$\",\"$17\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@18\"}]}]]}]\nc:[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L19\",null,{\"children\":\"$L1a\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L1b\",null,{\"children\":[\"$\",\"$17\",null,{\"name\":\"Next.Metadata\",\"children\":\"$L1c\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}]\n"])</script><script>self.__next_f.push([1,"1d:I[63780,[\"/_next/static/chunks/1d68b12dc707e7d8.js\",\"/_next/static/chunks/b7605876daa87b88.js\",\"/_next/static/chunks/15be890a12557bf3.js\",\"/_next/static/chunks/8f0838124ad8c43a.js\",\"/_next/static/chunks/f8a8c170eda5676d.js\"],\"Navbar\"]\n1e:I[22016,[\"/_next/static/chunks/1d68b12dc707e7d8.js\",\"/_next/static/chunks/b7605876daa87b88.js\",\"/_next/static/chunks/15be890a12557bf3.js\",\"/_next/static/chunks/8f0838124ad8c43a.js\",\"/_next/static/chunks/f8a8c170eda5676d.js\"],\"\"]\n1f:I[85437,[\"/_next/static/chunks/1d68b12dc707e7d8.js\",\"/_next/static/chunks/b7605876daa87b88.js\",\"/_next/static/chunks/15be890a12557bf3.js\",\"/_next/static/chunks/8f0838124ad8c43a.js\",\"/_next/static/chunks/f8a8c170eda5676d.js\"],\"Image\"]\n"])</script><script>self.__next_f.push([1,"15:[[\"$\",\"$L1d\",null,{}],[\"$\",\"main\",null,{\"className\":\"mx-auto max-w-3xl px-4 py-16 sm:px-6 lg:px-8\",\"children\":[[\"$\",\"nav\",null,{\"className\":\"mb-8 text-sm text-muted-foreground\",\"children\":[[\"$\",\"$L1e\",null,{\"href\":\"/\",\"className\":\"hover:text-foreground\",\"children\":\"Home\"}],[\"$\",\"span\",null,{\"className\":\"mx-2\",\"children\":\"/\"}],[\"$\",\"$L1e\",null,{\"href\":\"/blog\",\"className\":\"hover:text-foreground\",\"children\":\"Blog\"}],[\"$\",\"span\",null,{\"className\":\"mx-2\",\"children\":\"/\"}],[\"$\",\"span\",null,{\"className\":\"text-foreground\",\"children\":\"Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist\"}]]}],[\"$\",\"header\",null,{\"className\":\"mb-10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"mb-4 flex flex-wrap items-center gap-3 text-sm text-muted-foreground\",\"children\":[[\"$\",\"span\",null,{\"className\":\"rounded-full bg-primary/10 px-3 py-0.5 text-xs font-medium text-primary\",\"children\":\"Security\"}],[\"$\",\"span\",null,{\"children\":\"9 min read\"}]]}],[\"$\",\"h1\",null,{\"className\":\"mb-4 text-3xl font-bold tracking-tight text-foreground sm:text-4xl\",\"children\":\"Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist\"}],[\"$\",\"p\",null,{\"className\":\"mb-6 text-lg text-muted-foreground\",\"children\":\"Most websites score D or F on security headers — not because their stack is insecure but because nobody told them which headers to set. Six headers, four minutes each, A grade.\"}],[\"$\",\"div\",null,{\"className\":\"flex flex-wrap items-center gap-3 text-sm text-muted-foreground\",\"children\":[[\"$\",\"$L1e\",null,{\"href\":\"/authors/enis-getmez\",\"className\":\"group flex items-center gap-2.5 no-underline\",\"children\":[[\"$\",\"$L1f\",null,{\"src\":\"/authors/enis-getmez.svg\",\"alt\":\"Enis Getmez avatar\",\"width\":32,\"height\":32,\"className\":\"h-8 w-8 rounded-full\",\"unoptimized\":true}],[\"$\",\"span\",null,{\"className\":\"text-foreground transition-colors group-hover:text-primary\",\"children\":[\"By \",[\"$\",\"span\",null,{\"className\":\"font-semibold underline-offset-4 group-hover:underline\",\"children\":\"Enis Getmez\"}]]}]]}],[\"$\",\"span\",null,{\"className\":\"inline-flex items-center gap-1 rounded-full bg-emerald-500/10 px-2 py-0.5 text-xs font-medium text-emerald-600\",\"children\":[[\"$\",\"svg\",null,{\"ref\":\"$undefined\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":24,\"height\":24,\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":2,\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"className\":\"lucide lucide-circle-check h-3 w-3\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"circle\",\"1mglay\",{\"cx\":\"12\",\"cy\":\"12\",\"r\":\"10\"}],[\"$\",\"path\",\"dzmm74\",{\"d\":\"m9 12 2 2 4-4\"}],\"$undefined\"]}],\"Founder \u0026 Lead Engineer\"]}],[\"$\",\"span\",null,{\"className\":\"flex items-center gap-1 text-xs\",\"children\":[[\"$\",\"svg\",null,{\"ref\":\"$undefined\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":24,\"height\":24,\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":2,\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"className\":\"lucide lucide-calendar h-3 w-3\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"path\",\"1cmpym\",{\"d\":\"M8 2v4\"}],[\"$\",\"path\",\"4m81vk\",{\"d\":\"M16 2v4\"}],[\"$\",\"rect\",\"1hopcy\",{\"width\":\"18\",\"height\":\"18\",\"x\":\"3\",\"y\":\"4\",\"rx\":\"2\"}],[\"$\",\"path\",\"8toen8\",{\"d\":\"M3 10h18\"}],\"$undefined\"]}],[\"$\",\"time\",null,{\"dateTime\":\"2026-05-22\",\"children\":\"May 22, 2026\"}],false]}]]}]]}],[\"$\",\"article\",null,{\"className\":\"prose-custom\",\"children\":[[\"$\",\"h2\",\"0\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"Why most sites score D or F\"}],[\"$\",\"p\",\"2\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"If you run securityheaders.com or our \u003ca href=\\\"/tool/security-headers-grader\\\" class=\\\"text-primary hover:underline\\\"\u003eHTTP Security Headers Grader\u003c/a\u003e against the top 1,000 small-business websites, roughly 70% will score D or F. Not because the sites are catastrophically insecure — most run on perfectly modern stacks. They score badly because the headers protect against attacks that need explicit opt-in from the site owner, and most owners never opt in.\"}}],[\"$\",\"p\",\"4\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Six headers, configured correctly, take a typical site from \\\"F\\\" to \\\"A\\\". Most are one-line additions to your nginx or Apache config. None require code changes. None have downside for a normal website.\"}}],\"$L20\",\"$L21\",\"$L22\",\"$L23\",\"$L24\",\"$L25\",\"$L26\",\"$L27\",\"$L28\",\"$L29\",\"$L2a\",\"$L2b\",\"$L2c\",\"$L2d\",\"$L2e\",\"$L2f\",\"$L30\",\"$L31\",\"$L32\",\"$L33\",\"$L34\",\"$L35\",\"$L36\",\"$L37\",\"$L38\",\"$L39\",\"$L3a\",\"$L3b\",\"$L3c\",\"$L3d\",\"$L3e\",\"$L3f\",\"$L40\",\"$L41\",\"$L42\",\"$L43\",\"$L44\",\"$L45\",\"$L46\",\"$L47\",\"$L48\",\"$L49\",\"$L4a\",\"$L4b\",\"$L4c\",\"$L4d\",\"$L4e\",\"$L4f\",\"$L50\",\"$L51\",\"$L52\",\"$L53\",\"$L54\",\"$L55\",\"$L56\",\"$L57\",\"$L58\",\"$L59\",\"$L5a\",\"$L5b\",\"$L5c\",\"$L5d\",\"$L5e\",\"$L5f\",\"$L60\",\"$L61\",\"$L62\",\"$L63\",\"$L64\",\"$L65\",\"$L66\",\"$L67\",\"$L68\",\"$L69\",\"$L6a\",\"$L6b\",\"$L6c\",\"$L6d\",\"$L6e\",\"$L6f\",\"$L70\",\"$L71\",\"$L72\",\"$L73\",\"$L74\",\"$L75\",\"$L76\",\"$L77\",\"$L78\",\"$L79\",\"$L7a\",\"$L7b\",\"$L7c\",\"$L7d\",\"$L7e\",\"$L7f\",\"$L80\",\"$L81\",\"$L82\",\"$L83\",\"$L84\",\"$L85\"]}],\"$L86\",\"$L87\",\"$L88\"]}],\"$L89\",\"$L8a\",\"$L8b\"]\n"])</script><script>self.__next_f.push([1,"20:[\"$\",\"p\",\"6\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"This article walks through each one with the exact directive to add and the exact thing each one defends against.\"}}]\n21:[\"$\",\"figure\",\"8\",{\"className\":\"my-8\",\"children\":[[\"$\",\"img\",null,{\"src\":\"/blog-shots/security-headers.jpeg\",\"alt\":\"Krawly HTTP Security Headers Grader — A-F grade with line-by-line analysis\",\"loading\":\"lazy\",\"className\":\"w-full rounded-xl border border-border shadow-md\"}],[\"$\",\"figcaption\",null,{\"className\":\"mt-2 text-center text-xs text-muted-foreground\",\"children\":\"Krawly HTTP Security Headers Grader — A-F grade with line-by-line analysis\"}]]}]\n22:[\"$\",\"h2\",\"10\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"1. Strict-Transport-Security (HSTS) — the biggest grade lift\"}]\n23:[\"$\",\"p\",\"12\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"What it does: tells browsers to always use HTTPS for your domain, even if a user types `http://` or clicks an old http link. Once a browser sees the header, it remembers — typically for a year — and refuses to make any non-HTTPS request to your site.\"}}]\n24:[\"$\",\"p\",\"14\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Why this matters: without HSTS, a user on a hostile network (coffee shop wifi, hotel) who types `yoursite.com` into the address bar makes a plain HTTP request first. The server redirects to HTTPS — but the initial request is in cleartext, and an attacker can intercept it before the redirect lands.\"}}]\n25:[\"$\",\"p\",\"16\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"The directive:\"}}]\n26:[\"$\",\"p\",\"18\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n27:[\"$\",\"p\",\"19\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Strict-Transport-Security: max-age=31536000; includeSubDomains\"}}]\n28:[\"$\",\"p\",\"20\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n29:[\"$\",\"p\",\"22\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"In nginx:\"}}]\n2a:[\"$\",\"p\",\"23\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n2b:[\"$\",\"p\",\"24\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"add_header Strict-Transport-Security \\\"max-age=31536000; includeSubDomains\\\" always;\"}}]\n2c:[\"$\",\"p\",\"25\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n2d:[\"$\",\"p\",\"27\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"In Apache:\"}}]\n2e:[\"$\",\"p\",\"28\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n2f:[\"$\",\"p\",\"29\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Header always set Strict-Transport-Security \\\"max-age=31536000; includeSubDomains\\\"\"}}]\n30:[\"$\",\"p\",\"30\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n31:[\"$\",\"p\",\"32\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"For Cloudflare-fronted sites: SSL/TLS → Edge Certificates → HSTS → enable.\"}}]\n32:[\"$\",\"p\",\"34\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"\u003cstrong class=\\\"text-foreground\\\"\u003eCaveat\u003c/strong\u003e: once you ship HSTS, browsers remember it. If you ever need to roll back to HTTP, you can't — the browser refuses. Test thoroughly on a subdomain first. Most sites should be on HTTPS-only anyway in 2026.\"}}]\n33:[\"$\",\"h2\",\"36\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"2. X-Content-Type-Options: nosniff — easy win, no downside\"}]\n34:[\"$\",\"p\",\"38\",{\"className\":\"mb-4 text-muted-foregrou"])</script><script>self.__next_f.push([1,"nd leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"What it does: tells the browser to trust the `Content-Type` header you send and not \\\"sniff\\\" the file content to guess the type.\"}}]\n35:[\"$\",\"p\",\"40\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Why this matters: without this header, a browser might decide that a file you served as `text/plain` looks like JavaScript and execute it as JS. If an attacker can upload a \\\"txt\\\" file that the browser auto-executes, that's a stored XSS.\"}}]\n36:[\"$\",\"p\",\"42\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"The directive:\"}}]\n37:[\"$\",\"p\",\"44\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n38:[\"$\",\"p\",\"45\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"X-Content-Type-Options: nosniff\"}}]\n39:[\"$\",\"p\",\"46\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n3a:[\"$\",\"p\",\"48\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"This has zero downside. Set it on every response. The \\\"but my CMS serves files with wrong Content-Type\\\" excuse means your CMS is wrong; fix it.\"}}]\n3b:[\"$\",\"h2\",\"50\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"3. X-Frame-Options: SAMEORIGIN — clickjacking defense\"}]\n3c:[\"$\",\"p\",\"52\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"What it does: prevents your site from being loaded inside an `\u003ciframe\u003e` on someone else's domain.\"}}]\n3d:[\"$\",\"p\",\"54\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Why this matters: clickjacking attacks load your site (e.g. your bank's login page) in an invisible iframe, overlay a fake UI on top of it, and trick the user into clicking through to the real underlying button.\"}}]\n3e:[\"$\",\"p\",\"56\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"The directive:\"}}]\n3f:[\"$\",\"p\",\"58\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n40:[\"$\",\"p\",\"59\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"X-Frame-Options: SAMEORIGIN\"}}]\n41:[\"$\",\"p\",\"60\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n42:[\"$\",\"p\",\"62\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"This allows your own site to embed itself in iframes but blocks anyone else. If you have a legitimate iframe partner (an embed widget), use `Content-Security-Policy: frame-ancestors` instead, which supports a whitelist.\"}}]\n43:[\"$\",\"h2\",\"64\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"4. Referrer-Policy: strict-origin-when-cross-origin — sensible default\"}]\n44:[\"$\",\"p\",\"66\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"What it does: controls how much of the URL is sent in the `Referer` header when users click links from your site to other sites.\"}}]\n45:[\"$\",\"p\",\"68\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Why this matters: without setting this, your site leaks the full URL of every page a user was on to every external site they click to. Pages with query parameters (which often contain session IDs, search terms, or PII) leak that data to third parties. Analytics platforms see your private pages.\"}}]\n46:[\"$\",\"p\",\"70\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"The directive:\"}}]\n47:[\"$\",\"p\",\"72\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n48:[\"$\",\"p\",\"73\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Referrer-Policy: strict-origin-when-cro"])</script><script>self.__next_f.push([1,"ss-origin\"}}]\n49:[\"$\",\"p\",\"74\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n4a:[\"$\",\"p\",\"76\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"This sends the full URL to your own subdomains but only the bare origin (e.g. `https://example.com`) to external sites. Good default for nearly all sites.\"}}]\n4b:[\"$\",\"h2\",\"78\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"5. Permissions-Policy — disable unused browser features\"}]\n4c:[\"$\",\"p\",\"80\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"What it does: controls which browser features (camera, microphone, geolocation, USB, etc.) your site is allowed to use. Setting them to `()` disables them entirely.\"}}]\n4d:[\"$\",\"p\",\"82\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Why this matters: even if your site doesn't use the camera, a malicious script injected via XSS could request camera access. Permissions-Policy disables the feature at the HTTP layer so the browser never even shows the prompt.\"}}]\n4e:[\"$\",\"p\",\"84\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"The directive:\"}}]\n4f:[\"$\",\"p\",\"86\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n50:[\"$\",\"p\",\"87\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()\"}}]\n51:[\"$\",\"p\",\"88\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n52:[\"$\",\"p\",\"90\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"For sites that DO use specific features (e.g. a mapping app uses geolocation), list them with `self` or specific origins:\"}}]\n53:[\"$\",\"p\",\"92\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n54:[\"$\",\"p\",\"93\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Permissions-Policy: camera=(), microphone=(), geolocation=(self), payment=(), usb=()\"}}]\n55:[\"$\",\"p\",\"94\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n56:[\"$\",\"h2\",\"96\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"6. Content-Security-Policy — the hardest, biggest defense\"}]\n57:[\"$\",\"p\",\"98\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"What it does: tells the browser which sources are allowed to load scripts, styles, images, fonts, and frames. It's the most powerful XSS defense available in 2026.\"}}]\n58:[\"$\",\"p\",\"100\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Why this matters: even with input validation and output escaping (which you should do anyway), CSP provides a defense-in-depth layer. If an attacker successfully injects `\u003cscript\u003e` into your page, CSP can refuse to execute it because the source doesn't match your whitelist.\"}}]\n59:[\"$\",\"p\",\"102\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"The directive (start strict):\"}}]\n5a:[\"$\",\"p\",\"104\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n5b:[\"$\",\"p\",\"105\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Content-Security-Policy: default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self'; font-src 'self' data:; frame-ancestors 'self'; base-uri 'self'; form-action 'self'\"}}]\n5c:[\"$\",\"p\",\"106\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"```\"}}]\n5d:[\"$\",\"p\",\"108\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"This is the h"])</script><script>self.__next_f.push([1,"ardest header to configure correctly because every site has different needs:\"}}]\n5e:[\"$\",\"li\",\"109\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"WordPress + Google Analytics needs `script-src 'self' https://www.google-analytics.com`\"}}]\n5f:[\"$\",\"li\",\"110\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sites using inline event handlers need `'unsafe-inline'` in script-src (defeating most of CSP's value)\"}}]\n60:[\"$\",\"li\",\"111\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sites with CSS frameworks need style-src exceptions\"}}]\n61:[\"$\",\"p\",\"113\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"The pragmatic approach: start with the strict directive above, then loosen it iteratively as you find pages that break. Most sites land on a usable CSP within 2-3 hours of debugging.\"}}]\n62:[\"$\",\"p\",\"115\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"If CSP feels overwhelming, skip it and ship the other five headers. Those five alone take a site from F to B. CSP is the difference between B and A.\"}}]\n63:[\"$\",\"h2\",\"117\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"The 30-minute audit\"}]\n64:[\"$\",\"p\",\"119\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"For your own site:\"}}]\n65:[\"$\",\"p\",\"121\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"1. Run \u003ca href=\\\"/tool/security-headers-grader\\\" class=\\\"text-primary hover:underline\\\"\u003eSecurity Headers Grader\u003c/a\u003e on your homepage. Note the current grade.\"}}]\n66:[\"$\",\"p\",\"122\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"2. Open your web-server config (nginx `.conf`, Apache `.htaccess`, or Cloudflare dashboard if proxied).\"}}]\n67:[\"$\",\"p\",\"123\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"3. Add the five easy headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy). 5 minutes total.\"}}]\n68:[\"$\",\"p\",\"124\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"4. Reload your web server. Re-run the grader. You should now be at B.\"}}]\n69:[\"$\",\"p\",\"125\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"5. Tackle CSP iteratively. Start strict, log violations to a report endpoint, loosen until you stop breaking pages. 1-3 hours depending on site complexity.\"}}]\n6a:[\"$\",\"p\",\"127\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Total time: 30 minutes to B grade, an afternoon to A grade.\"}}]\n6b:[\"$\",\"h2\",\"129\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"What these headers do NOT defend against\"}]\n6c:[\"$\",\"p\",\"131\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"Be honest about scope:\"}}]\n6d:[\"$\",\"li\",\"133\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"\u003cstrong class=\\\"text-foreground\\\"\u003eThey don't fix SQL injection or other input-validation bugs.\u003c/strong\u003e CSP can mitigate the effects of stored XSS but not prevent the database from being compromised. You still need parameterized queries, output escaping, and the rest of OWASP Top 10.\"}}]\n6e:[\"$\",\"li\",\"134\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"\u003cstrong class=\\\"text-foreground\\\"\u003eThey don't help against DDoS.\u003c/strong\u003e A WAF or DDoS protection service (Cloudflare's free plan is fine for most sites) does this.\"}}]\n6f:[\"$\",\"li\",\"135\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"\u003cstrong class=\\\"text-foreground\\\"\u003eThey don't replace authentication and authorization.\u003c/strong\u003e Setting good headers on a site with weak passwords is"])</script><script>self.__next_f.push([1," rearranging deck chairs.\"}}]\n70:[\"$\",\"li\",\"136\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"\u003cstrong class=\\\"text-foreground\\\"\u003eThey don't make your TLS configuration secure.\u003c/strong\u003e Modern TLS (1.2+ with strong ciphers) is a separate concern. Use \u003ca href=\\\"/tool/ssl-checker\\\" class=\\\"text-primary hover:underline\\\"\u003eSSL Checker\u003c/a\u003e for that audit.\"}}]\n71:[\"$\",\"h2\",\"138\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"Real numbers from the audit\"}]\n72:[\"$\",\"p\",\"140\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"In a sample of 100 small-business sites I audited in the past month:\"}}]\n73:[\"$\",\"li\",\"142\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sites with HSTS: 32 of 100\"}}]\n74:[\"$\",\"li\",\"143\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sites with X-Frame-Options: 41 of 100\"}}]\n75:[\"$\",\"li\",\"144\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sites with X-Content-Type-Options: 38 of 100\"}}]\n76:[\"$\",\"li\",\"145\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sites with Referrer-Policy: 28 of 100\"}}]\n77:[\"$\",\"li\",\"146\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sites with Permissions-Policy: 14 of 100\"}}]\n78:[\"$\",\"li\",\"147\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sites with CSP: 9 of 100\"}}]\n79:[\"$\",\"li\",\"148\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"Sites scoring B or higher on Security Headers: 11 of 100\"}}]\n7a:[\"$\",\"p\",\"150\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"The opportunity is huge. 89% of small-business sites are running a security-headers configuration from 2018 or earlier. The fix is trivial. The default web-server stack is just not opinionated about this, and most owners never look.\"}}]\n7b:[\"$\",\"h2\",\"152\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"The shipping checklist\"}]\n7c:[\"$\",\"li\",\"154\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"[ ] HSTS with at least `max-age=31536000; includeSubDomains` (and ideally `preload` once you're confident)\"}}]\n7d:[\"$\",\"li\",\"155\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"[ ] X-Content-Type-Options: nosniff (no exceptions)\"}}]\n7e:[\"$\",\"li\",\"156\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"[ ] X-Frame-Options: SAMEORIGIN (or CSP frame-ancestors)\"}}]\n7f:[\"$\",\"li\",\"157\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"[ ] Referrer-Policy: strict-origin-when-cross-origin\"}}]\n80:[\"$\",\"li\",\"158\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"[ ] Permissions-Policy: disable unused features\"}}]\n81:[\"$\",\"li\",\"159\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"[ ] CSP (start strict, iterate)\"}}]\n82:[\"$\",\"li\",\"160\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"[ ] Re-run \u003ca href=\\\"/tool/security-headers-grader\\\" class=\\\"text-primary hover:underline\\\"\u003eSecurity Headers Grader\u003c/a\u003e — confirm grade A or B\"}}]\n83:[\"$\",\"li\",\"161\",{\"className\":\"ml-4 mb-1 text-muted-foreground list-disc\",\"dangerouslySetInnerHTML\":{\"__html\":\"[ ] Add a calendar reminder to re-audit in 6 months (browser security expectations evolve)\"}}]\n84:[\"$\",\"h2\",\"163\",{\"className\":\"mt-10 mb-4 text-2xl font-bold text-foreground\",\"children\":\"Corrections + audits\"}]\n85:[\"$\",\"p\",\"165\",{\"className\":\"mb-4 text-muted-foreground leading-relaxed\",\"dangerouslySetInnerHTML\":{\"__html\":\"If your site scores well on security headers and you want me to use it as an"])</script><script>self.__next_f.push([1," example in a follow-up article, write to \u003ca href=\\\"mailto:info@krawly.io\\\"\u003einfo@krawly.io\u003c/a\u003e. If you find an error in the directives above (or a 2026 update I missed), same address.\"}}]\n"])</script><script>self.__next_f.push([1,"86:[\"$\",\"aside\",null,{\"className\":\"mt-12 rounded-2xl border border-border bg-card p-6 \",\"aria-label\":\"About the author: Enis Getmez\",\"children\":[\"$\",\"div\",null,{\"className\":\"flex flex-col gap-5 sm:flex-row sm:items-start\",\"children\":[[\"$\",\"$L1e\",null,{\"href\":\"/authors/enis-getmez\",\"className\":\"shrink-0\",\"aria-label\":\"Author profile for Enis Getmez\",\"children\":[\"$\",\"$L1f\",null,{\"src\":\"/authors/enis-getmez.svg\",\"alt\":\"Enis Getmez portrait\",\"width\":88,\"height\":88,\"className\":\"h-22 w-22 rounded-full\",\"unoptimized\":true}]}],[\"$\",\"div\",null,{\"className\":\"flex-1\",\"children\":[[\"$\",\"div\",null,{\"className\":\"flex items-baseline justify-between gap-3\",\"children\":[[\"$\",\"$L1e\",null,{\"href\":\"/authors/enis-getmez\",\"className\":\"text-lg font-semibold text-foreground no-underline hover:text-primary\",\"children\":\"Enis Getmez\"}],[\"$\",\"span\",null,{\"className\":\"text-xs uppercase tracking-wider text-muted-foreground\",\"children\":[10,\"+ years\"]}]]}],[\"$\",\"p\",null,{\"className\":\"text-xs font-medium text-primary\",\"children\":\"Founder \u0026 Lead Engineer\"}],[\"$\",\"p\",null,{\"className\":\"mt-3 text-sm leading-relaxed text-muted-foreground\",\"children\":\"Founder of Krawly. Backend and crawl-infrastructure engineer with a decade of work on web scraping, SEO automation, and data pipelines — every Krawly tool started as one of his client scripts.\"}],[\"$\",\"div\",null,{\"className\":\"mt-4 flex flex-wrap gap-1.5\",\"children\":[[\"$\",\"span\",\"Web scraping architecture\",{\"className\":\"rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground\",\"children\":\"Web scraping architecture\"}],[\"$\",\"span\",\"Technical SEO audits\",{\"className\":\"rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground\",\"children\":\"Technical SEO audits\"}],[\"$\",\"span\",\"Search engine algorithms\",{\"className\":\"rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground\",\"children\":\"Search engine algorithms\"}],[\"$\",\"span\",\"Headless browsers (Playwright, Puppeteer)\",{\"className\":\"rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground\",\"children\":\"Headless browsers (Playwright, Puppeteer)\"}],[\"$\",\"span\",\"Django and Python backends\",{\"className\":\"rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground\",\"children\":\"Django and Python backends\"}],[\"$\",\"span\",\"API rate limiting and abuse detection\",{\"className\":\"rounded-full border border-border bg-muted/50 px-2 py-0.5 text-xs text-foreground\",\"children\":\"API rate limiting and abuse detection\"}]]}],[\"$\",\"div\",null,{\"className\":\"mt-4 flex flex-wrap gap-3 text-xs\",\"children\":[[\"$\",\"a\",null,{\"href\":\"https://www.linkedin.com/in/enis-getmez\",\"rel\":\"author noopener noreferrer\",\"target\":\"_blank\",\"className\":\"inline-flex items-center gap-1 text-muted-foreground transition-colors hover:text-primary\",\"children\":[[\"$\",\"svg\",null,{\"ref\":\"$undefined\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":24,\"height\":24,\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":2,\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"className\":\"lucide lucide-linkedin h-3.5 w-3.5\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"path\",\"c2jq9f\",{\"d\":\"M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z\"}],[\"$\",\"rect\",\"mk3on5\",{\"width\":\"4\",\"height\":\"12\",\"x\":\"2\",\"y\":\"9\"}],[\"$\",\"circle\",\"bt5ra8\",{\"cx\":\"4\",\"cy\":\"4\",\"r\":\"2\"}],\"$undefined\"]}],\" LinkedIn\"]}],[\"$\",\"a\",null,{\"href\":\"https://github.com/enisgetmez\",\"rel\":\"author noopener noreferrer\",\"target\":\"_blank\",\"className\":\"inline-flex items-center gap-1 text-muted-foreground transition-colors hover:text-primary\",\"children\":[[\"$\",\"svg\",null,{\"ref\":\"$undefined\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":24,\"height\":24,\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":2,\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"className\":\"lucide lucide-github h-3.5 w-3.5\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"path\",\"tonef\",{\"d\":\"M15 22v-4a4.8 4.8 0 0 0-1-3.5c3 0 6-2 6-5.5.08-1.25-.27-2.48-1-3.5.28-1.15.28-2.35 0-3.5 0 0-1 0-3 1.5-2.64-.5-5.36-.5-8 0C6 2 5 2 5 2c-.3 1.15-.3 2.35 0 3.5A5.403 5.403 0 0 0 4 9c0 3.5 3 5.5 6 5.5-.39.49-.68 1.05-.85 1.65-.17.6-.22 1.23-.15 1.85v4\"}],\"$L8c\",\"$undefined\"]}],\" GitHub\"]}],\"$L8d\",\"$L8e\"]}]]}]]}]}]\n"])</script><script>self.__next_f.push([1,"87:[\"$\",\"div\",null,{\"className\":\"mt-12 rounded-xl border border-primary/20 bg-primary/5 p-6 text-center\",\"children\":[[\"$\",\"h3\",null,{\"className\":\"text-lg font-semibold text-foreground mb-2\",\"children\":\"Try All 170+ Free Tools\"}],[\"$\",\"p\",null,{\"className\":\"text-muted-foreground mb-4\",\"children\":\"No signup required. Start analyzing websites, scraping data, and more.\"}],[\"$\",\"$L1e\",null,{\"href\":\"/tools\",\"className\":\"inline-flex items-center rounded-lg bg-primary px-6 py-2.5 text-sm font-medium text-primary-foreground transition hover:bg-primary/90\",\"children\":\"Browse All Tools\"}]]}]\n"])</script><script>self.__next_f.push([1,"88:[\"$\",\"div\",null,{\"className\":\"mt-16\",\"children\":[[\"$\",\"h2\",null,{\"className\":\"text-2xl font-bold text-foreground mb-6\",\"children\":\"Related Articles\"}],[\"$\",\"div\",null,{\"className\":\"grid gap-4 sm:grid-cols-3\",\"children\":[[\"$\",\"$L1e\",\"how-to-scrape-youtube-playlist-data-free\",{\"href\":\"/blog/how-to-scrape-youtube-playlist-data-free\",\"className\":\"group rounded-xl border border-border bg-card p-4 transition hover:border-primary/30\",\"children\":[[\"$\",\"span\",null,{\"className\":\"text-xs text-primary\",\"children\":\"YouTube\"}],[\"$\",\"h3\",null,{\"className\":\"mt-1 text-sm font-semibold text-foreground group-hover:text-primary transition line-clamp-2\",\"children\":\"How to Scrape YouTube Playlist Data in 2026 (Free \u0026 Easy)\"}],[\"$\",\"p\",null,{\"className\":\"mt-1 text-xs text-muted-foreground\",\"children\":\"4 min read\"}]]}],[\"$\",\"$L1e\",\"find-email-addresses-from-any-website\",{\"href\":\"/blog/find-email-addresses-from-any-website\",\"className\":\"group rounded-xl border border-border bg-card p-4 transition hover:border-primary/30\",\"children\":[[\"$\",\"span\",null,{\"className\":\"text-xs text-primary\",\"children\":\"Lead Generation\"}],[\"$\",\"h3\",null,{\"className\":\"mt-1 text-sm font-semibold text-foreground group-hover:text-primary transition line-clamp-2\",\"children\":\"How to Find Email Addresses from Any Website (5 Free Methods)\"}],[\"$\",\"p\",null,{\"className\":\"mt-1 text-xs text-muted-foreground\",\"children\":\"5 min read\"}]]}],[\"$\",\"$L1e\",\"free-seo-audit-checklist-2026\",{\"href\":\"/blog/free-seo-audit-checklist-2026\",\"className\":\"group rounded-xl border border-border bg-card p-4 transition hover:border-primary/30\",\"children\":[[\"$\",\"span\",null,{\"className\":\"text-xs text-primary\",\"children\":\"SEO\"}],[\"$\",\"h3\",null,{\"className\":\"mt-1 text-sm font-semibold text-foreground group-hover:text-primary transition line-clamp-2\",\"children\":\"Free SEO Audit Checklist for 2026 (With Tools)\"}],[\"$\",\"p\",null,{\"className\":\"mt-1 text-xs text-muted-foreground\",\"children\":\"7 min read\"}]]}]]}]]}]\n"])</script><script>self.__next_f.push([1,"8f:T6c5,"])</script><script>self.__next_f.push([1,"{\"@context\":\"https://schema.org\",\"@type\":\"Article\",\"headline\":\"Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist\",\"description\":\"Most websites score D or F on security headers — not because their stack is insecure but because nobody told them which headers to set. Six headers, four minutes each, A grade.\",\"datePublished\":\"2026-05-22\",\"dateModified\":\"2026-05-22\",\"articleSection\":\"Security\",\"keywords\":\"security headers, content security policy, hsts header, x-frame-options, permissions policy\",\"wordCount\":1405,\"image\":\"https://krawly.io/blog-shots/security-headers.jpeg\",\"author\":{\"@context\":\"https://schema.org\",\"@type\":\"Person\",\"name\":\"Enis Getmez\",\"jobTitle\":\"Founder \u0026 Lead Engineer\",\"description\":\"Founder of Krawly. Backend and crawl-infrastructure engineer with a decade of work on web scraping, SEO automation, and data pipelines — every Krawly tool started as one of his client scripts.\",\"url\":\"https://krawly.io/authors/enis-getmez\",\"image\":\"https://krawly.io/authors/enis-getmez.svg\",\"sameAs\":[\"https://www.linkedin.com/in/enis-getmez\",\"https://github.com/enisgetmez\",\"https://krawly.io/about\"],\"knowsAbout\":[\"Web scraping architecture\",\"Technical SEO audits\",\"Search engine algorithms\",\"Headless browsers (Playwright, Puppeteer)\",\"Django and Python backends\",\"API rate limiting and abuse detection\",\"OSINT data sources\",\"Schema.org structured data\"],\"worksFor\":{\"@type\":\"Organization\",\"name\":\"Krawly.io\",\"url\":\"https://krawly.io\"}},\"publisher\":{\"@type\":\"Organization\",\"name\":\"Krawly\",\"url\":\"https://krawly.io\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://krawly.io/krawly-logo.png\"}},\"mainEntityOfPage\":{\"@type\":\"WebPage\",\"@id\":\"https://krawly.io/blog/security-headers-grade-from-d-to-a\"}}"])</script><script>self.__next_f.push([1,"89:[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"$8f\"}}]\n8a:[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"BreadcrumbList\\\",\\\"itemListElement\\\":[{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":1,\\\"name\\\":\\\"Krawly.io\\\",\\\"item\\\":\\\"https://krawly.io\\\"},{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":2,\\\"name\\\":\\\"Blog\\\",\\\"item\\\":\\\"https://krawly.io/blog\\\"},{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":3,\\\"name\\\":\\\"Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist\\\",\\\"item\\\":\\\"https://krawly.io/blog/security-headers-grade-from-d-to-a\\\"}]}\"}}]\n"])</script><script>self.__next_f.push([1,"8b:[\"$\",\"footer\",null,{\"className\":\"border-t border-border bg-card/40\",\"children\":[\"$\",\"div\",null,{\"className\":\"mx-auto max-w-7xl px-4 py-14 sm:px-6 lg:px-8\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid grid-cols-2 gap-8 md:grid-cols-5 md:gap-10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"col-span-2 md:col-span-2\",\"children\":[[\"$\",\"div\",null,{\"className\":\"flex items-center gap-2 mb-3\",\"children\":[[\"$\",\"div\",null,{\"className\":\"anim-float\",\"children\":[\"$\",\"svg\",null,{\"viewBox\":\"0 0 100 100\",\"fill\":\"none\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"className\":\"w-8 h-8 \",\"children\":[[\"$\",\"ellipse\",null,{\"cx\":\"50\",\"cy\":\"55\",\"rx\":\"28\",\"ry\":\"24\",\"fill\":\"url(#bodyGradient)\"}],[\"$\",\"ellipse\",null,{\"cx\":\"50\",\"cy\":\"50\",\"rx\":\"20\",\"ry\":\"16\",\"fill\":\"url(#faceGradient)\"}],[\"$\",\"circle\",null,{\"cx\":\"40\",\"cy\":\"48\",\"r\":\"8\",\"fill\":\"white\"}],[\"$\",\"circle\",null,{\"cx\":\"60\",\"cy\":\"48\",\"r\":\"8\",\"fill\":\"white\"}],[\"$\",\"circle\",null,{\"cx\":\"42\",\"cy\":\"47\",\"r\":\"4\",\"fill\":\"#1a1a2e\"}],[\"$\",\"circle\",null,{\"cx\":\"62\",\"cy\":\"47\",\"r\":\"4\",\"fill\":\"#1a1a2e\"}],[\"$\",\"circle\",null,{\"cx\":\"43\",\"cy\":\"46\",\"r\":\"1.5\",\"fill\":\"white\"}],[\"$\",\"circle\",null,{\"cx\":\"63\",\"cy\":\"46\",\"r\":\"1.5\",\"fill\":\"white\"}],[\"$\",\"path\",null,{\"d\":\"M42 58 Q50 64 58 58\",\"stroke\":\"#1a1a2e\",\"strokeWidth\":\"2\",\"strokeLinecap\":\"round\",\"fill\":\"none\"}],[\"$\",\"line\",null,{\"x1\":\"50\",\"y1\":\"32\",\"x2\":\"50\",\"y2\":\"22\",\"stroke\":\"url(#antennaGradient)\",\"strokeWidth\":\"3\",\"strokeLinecap\":\"round\"}],[\"$\",\"circle\",null,{\"cx\":\"50\",\"cy\":\"18\",\"r\":\"5\",\"fill\":\"url(#antennaBallGradient)\"}],[\"$\",\"path\",null,{\"d\":\"M26 50 Q18 45 12 52\",\"stroke\":\"url(#legGradient)\",\"strokeWidth\":\"4\",\"strokeLinecap\":\"round\",\"fill\":\"none\"}],[\"$\",\"path\",null,{\"d\":\"M74 50 Q82 45 88 52\",\"stroke\":\"url(#legGradient)\",\"strokeWidth\":\"4\",\"strokeLinecap\":\"round\",\"fill\":\"none\"}],[\"$\",\"path\",null,{\"d\":\"M24 58 Q14 60 10 68\",\"stroke\":\"url(#legGradient)\",\"strokeWidth\":\"4\",\"strokeLinecap\":\"round\",\"fill\":\"none\"}],[\"$\",\"path\",null,{\"d\":\"M76 58 Q86 60 90 68\",\"stroke\":\"url(#legGradient)\",\"strokeWidth\":\"4\",\"strokeLinecap\":\"round\",\"fill\":\"none\"}],[\"$\",\"path\",null,{\"d\":\"M28 70 Q20 78 14 82\",\"stroke\":\"url(#legGradient)\",\"strokeWidth\":\"4\",\"strokeLinecap\":\"round\",\"fill\":\"none\"}],[\"$\",\"path\",null,{\"d\":\"M72 70 Q80 78 86 82\",\"stroke\":\"url(#legGradient)\",\"strokeWidth\":\"4\",\"strokeLinecap\":\"round\",\"fill\":\"none\"}],[\"$\",\"defs\",null,{\"children\":[[\"$\",\"linearGradient\",null,{\"id\":\"bodyGradient\",\"x1\":\"22\",\"y1\":\"31\",\"x2\":\"78\",\"y2\":\"79\",\"gradientUnits\":\"userSpaceOnUse\",\"children\":[[\"$\",\"stop\",null,{\"stopColor\":\"#7c3aed\"}],[\"$\",\"stop\",null,{\"offset\":\"1\",\"stopColor\":\"#4f46e5\"}]]}],[\"$\",\"linearGradient\",null,{\"id\":\"faceGradient\",\"x1\":\"30\",\"y1\":\"34\",\"x2\":\"70\",\"y2\":\"66\",\"gradientUnits\":\"userSpaceOnUse\",\"children\":[[\"$\",\"stop\",null,{\"stopColor\":\"#a78bfa\"}],[\"$\",\"stop\",null,{\"offset\":\"1\",\"stopColor\":\"#8b5cf6\"}]]}],[\"$\",\"linearGradient\",null,{\"id\":\"antennaGradient\",\"x1\":\"50\",\"y1\":\"32\",\"x2\":\"50\",\"y2\":\"22\",\"gradientUnits\":\"userSpaceOnUse\",\"children\":[[\"$\",\"stop\",null,{\"stopColor\":\"#7c3aed\"}],[\"$\",\"stop\",null,{\"offset\":\"1\",\"stopColor\":\"#4f46e5\"}]]}],[\"$\",\"linearGradient\",null,{\"id\":\"antennaBallGradient\",\"x1\":\"45\",\"y1\":\"13\",\"x2\":\"55\",\"y2\":\"23\",\"gradientUnits\":\"userSpaceOnUse\",\"children\":[[\"$\",\"stop\",null,{\"stopColor\":\"#a78bfa\"}],[\"$\",\"stop\",null,{\"offset\":\"1\",\"stopColor\":\"#7c3aed\"}]]}],[\"$\",\"linearGradient\",null,{\"id\":\"legGradient\",\"x1\":\"10\",\"y1\":\"45\",\"x2\":\"90\",\"y2\":\"85\",\"gradientUnits\":\"userSpaceOnUse\",\"children\":[[\"$\",\"stop\",null,{\"stopColor\":\"#6366f1\"}],[\"$\",\"stop\",null,{\"offset\":\"1\",\"stopColor\":\"#4f46e5\"}]]}]]}]]}]}],[\"$\",\"span\",null,{\"className\":\"text-base font-bold text-foreground\",\"children\":[\"Krawly\",[\"$\",\"span\",null,{\"className\":\"text-primary\",\"children\":\".io\"}]]}]]}],[\"$\",\"p\",null,{\"className\":\"max-w-xs text-sm leading-relaxed text-muted-foreground\",\"children\":\"Free online tools for SEO, web scraping, security, and developer workflows. No signup. 30 free uses every day.\"}]]}],[\"$\",\"div\",null,{\"children\":[[\"$\",\"h4\",null,{\"className\":\"mb-4 text-sm font-semibold text-foreground\",\"children\":\"Product\"}],[\"$\",\"div\",null,{\"className\":\"flex flex-col gap-2.5\",\"children\":[[\"$\",\"a\",\"All Tools\",{\"href\":\"/tools\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"All Tools\"}],[\"$\",\"a\",\"Blog\",{\"href\":\"/blog\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"Blog\"}]]}]]}],[\"$\",\"div\",null,{\"children\":[[\"$\",\"h4\",null,{\"className\":\"mb-4 text-sm font-semibold text-foreground\",\"children\":\"Categories\"}],[\"$\",\"div\",null,{\"className\":\"flex flex-col gap-2.5\",\"children\":[[\"$\",\"a\",\"SEO Tools\",{\"href\":\"/tools/seo\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"SEO Tools\"}],\"$L90\",\"$L91\",\"$L92\",\"$L93\",\"$L94\"]}]]}],\"$L95\"]}],\"$L96\"]}]}]\n"])</script><script>self.__next_f.push([1,"8c:[\"$\",\"path\",\"9comsn\",{\"d\":\"M9 18c-4.51 2-5-2-7-2\"}]\n8d:[\"$\",\"a\",null,{\"href\":\"mailto:info@krawly.io\",\"className\":\"inline-flex items-center gap-1 text-muted-foreground transition-colors hover:text-primary\",\"children\":[[\"$\",\"svg\",null,{\"ref\":\"$undefined\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":24,\"height\":24,\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":2,\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"className\":\"lucide lucide-mail h-3.5 w-3.5\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"path\",\"132q7q\",{\"d\":\"m22 7-8.991 5.727a2 2 0 0 1-2.009 0L2 7\"}],[\"$\",\"rect\",\"izxlao\",{\"x\":\"2\",\"y\":\"4\",\"width\":\"20\",\"height\":\"16\",\"rx\":\"2\"}],\"$undefined\"]}],\" \",\"info@krawly.io\"]}]\n8e:[\"$\",\"$L1e\",null,{\"href\":\"/authors/enis-getmez\",\"className\":\"inline-flex items-center gap-1 text-primary transition-colors hover:underline no-underline\",\"children\":[\"Full profile \",[\"$\",\"svg\",null,{\"ref\":\"$undefined\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":24,\"height\":24,\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":2,\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"className\":\"lucide lucide-external-link h-3 w-3\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"path\",\"1q9fwt\",{\"d\":\"M15 3h6v6\"}],[\"$\",\"path\",\"gplh6r\",{\"d\":\"M10 14 21 3\"}],[\"$\",\"path\",\"a6xqqp\",{\"d\":\"M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6\"}],\"$undefined\"]}]]}]\n90:[\"$\",\"a\",\"Web Scraping\",{\"href\":\"/tools/web-scraping\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"Web Scraping\"}]\n91:[\"$\",\"a\",\"Security\",{\"href\":\"/tools/security\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"Security\"}]\n92:[\"$\",\"a\",\"Developer\",{\"href\":\"/tools/developer\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"Developer\"}]\n93:[\"$\",\"a\",\"E-Commerce\",{\"href\":\"/tools/e-commerce\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"E-Commerce\"}]\n94:[\"$\",\"a\",\"Image\",{\"href\":\"/tools/image\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"Image\"}]\n"])</script><script>self.__next_f.push([1,"95:[\"$\",\"div\",null,{\"children\":[[\"$\",\"h4\",null,{\"className\":\"mb-4 text-sm font-semibold text-foreground\",\"children\":\"Company\"}],[\"$\",\"div\",null,{\"className\":\"flex flex-col gap-2.5\",\"children\":[[\"$\",\"a\",\"About\",{\"href\":\"/about\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"About\"}],[\"$\",\"a\",\"Authors\",{\"href\":\"/authors\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"Authors\"}],[\"$\",\"a\",\"Editorial Guidelines\",{\"href\":\"/editorial-guidelines\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"Editorial Guidelines\"}],[\"$\",\"a\",\"Methodology\",{\"href\":\"/methodology\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"Methodology\"}],[\"$\",\"a\",\"Contact\",{\"href\":\"/contact\",\"className\":\"text-sm text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:text-foreground focus-visible:underline\",\"children\":\"Contact\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"96:[\"$\",\"div\",null,{\"className\":\"mt-12 flex flex-col items-center justify-between gap-4 border-t border-border pt-6 md:flex-row\",\"children\":[[\"$\",\"p\",null,{\"className\":\"text-xs text-muted-foreground\",\"children\":[\"© \",2026,\" Krawly.io — All rights reserved.\"]}],[\"$\",\"div\",null,{\"className\":\"flex flex-wrap items-center justify-center gap-x-5 gap-y-2\",\"children\":[[\"$\",\"a\",\"Privacy Policy\",{\"href\":\"/privacy\",\"className\":\"text-xs text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:underline\",\"children\":\"Privacy Policy\"}],[\"$\",\"a\",\"Terms of Service\",{\"href\":\"/terms\",\"className\":\"text-xs text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:underline\",\"children\":\"Terms of Service\"}],[\"$\",\"a\",\"Cookie Policy\",{\"href\":\"/cookies\",\"className\":\"text-xs text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:underline\",\"children\":\"Cookie Policy\"}],[\"$\",\"a\",\"Refund Policy\",{\"href\":\"/refund\",\"className\":\"text-xs text-muted-foreground transition-colors hover:text-foreground no-underline focus-visible:outline-none focus-visible:underline\",\"children\":\"Refund Policy\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"1a:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"2\",{\"name\":\"theme-color\",\"content\":\"#7c3aed\"}]]\n"])</script><script>self.__next_f.push([1,"97:I[27201,[\"/_next/static/chunks/ff1a16fafef87110.js\",\"/_next/static/chunks/d2be314c3ece3fbe.js\"],\"IconMark\"]\n18:null\n"])</script><script>self.__next_f.push([1,"1c:[[\"$\",\"title\",\"0\",{\"children\":\"Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist | Krawly\"}],[\"$\",\"meta\",\"1\",{\"name\":\"description\",\"content\":\"Most websites score D or F on security headers — not because their stack is insecure but because nobody told them which headers to set. Six headers, four minutes each, A grade.\"}],[\"$\",\"link\",\"2\",{\"rel\":\"author\",\"href\":\"https://krawly.io/authors/enis-getmez\"}],[\"$\",\"meta\",\"3\",{\"name\":\"author\",\"content\":\"Enis Getmez\"}],[\"$\",\"meta\",\"4\",{\"name\":\"keywords\",\"content\":\"security headers,content security policy,hsts header,x-frame-options,permissions policy\"}],[\"$\",\"meta\",\"5\",{\"name\":\"robots\",\"content\":\"index, follow\"}],[\"$\",\"meta\",\"6\",{\"name\":\"googlebot\",\"content\":\"index, follow, max-video-preview:-1, max-image-preview:large, max-snippet:-1\"}],[\"$\",\"link\",\"7\",{\"rel\":\"canonical\",\"href\":\"https://krawly.io/blog/security-headers-grade-from-d-to-a\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:title\",\"content\":\"Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:description\",\"content\":\"Most websites score D or F on security headers — not because their stack is insecure but because nobody told them which headers to set. Six headers, four minutes each, A grade.\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:url\",\"content\":\"https://krawly.io/blog/security-headers-grade-from-d-to-a\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:site_name\",\"content\":\"Krawly.io\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:type\",\"content\":\"article\"}],[\"$\",\"meta\",\"13\",{\"property\":\"article:published_time\",\"content\":\"2026-05-22\"}],[\"$\",\"meta\",\"14\",{\"property\":\"article:modified_time\",\"content\":\"2026-05-22\"}],[\"$\",\"meta\",\"15\",{\"property\":\"article:author\",\"content\":\"Enis Getmez\"}],[\"$\",\"meta\",\"16\",{\"property\":\"article:tag\",\"content\":\"security headers\"}],[\"$\",\"meta\",\"17\",{\"property\":\"article:tag\",\"content\":\"content security policy\"}],[\"$\",\"meta\",\"18\",{\"property\":\"article:tag\",\"content\":\"hsts header\"}],[\"$\",\"meta\",\"19\",{\"property\":\"article:tag\",\"content\":\"x-frame-options\"}],[\"$\",\"meta\",\"20\",{\"property\":\"article:tag\",\"content\":\"permissions policy\"}],[\"$\",\"meta\",\"21\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"22\",{\"name\":\"twitter:title\",\"content\":\"Lifting Your Security Headers Grade from D to A — A 30-Minute Checklist\"}],[\"$\",\"meta\",\"23\",{\"name\":\"twitter:description\",\"content\":\"Most websites score D or F on security headers — not because their stack is insecure but because nobody told them which headers to set. Six headers, four minutes each, A grade.\"}],[\"$\",\"link\",\"24\",{\"rel\":\"icon\",\"href\":\"/favicon.ico?favicon.d7ba6cb3.ico\",\"sizes\":\"32x32\",\"type\":\"image/x-icon\"}],[\"$\",\"$L97\",\"25\",{}]]\n"])</script></body></html>