Header Guard

Your browser's security watchdog.

Checking Grading "Web & Api" security posture in real time.

1. Overview

Header Guard
DeveloperSkrenBytes
TypeBrowser Extension
PlatformGoogle Chrome
CategorySecurity
StatusComing Soon
LicenseProprietary

Header Guard is a Google Chrome extension developed by SkrenBytes that inspects the HTTP response headers of any website you visit and instantly assigns a security grade - from A (excellent) to F (poor), based on industry-recognised security best practices.

Most users never think about HTTP headers, yet these behind-the-scenes directives tell a browser how to behave: whether to allow the page inside an iframe, whether scripts can be loaded from untrusted sources, and whether traffic must be encrypted. Misconfigured or missing headers are among the most common and preventable attack vectors on the web.

Header Guard makes the invisible visible - turning complex HTTP security headers into a clear, actionable letter grade, directly in your browser toolbar.

With a single click, Header Guard surfaces which headers are present, which are missing, and what impact each has on the overall security score.

2. How to Download

Header Guard will be available on the Chrome Web Store. Follow the steps below once the extension is live.

1
Open Google Chrome on your desktop or laptop (version 88 or later recommended).
2
Click the download button below, or go to the Chrome Web Store and search for "Header Guard".
3
On the listing page, click "Add to Chrome" in the top-right corner.
4
A permissions dialog will appear. Click "Add extension" to confirm and install.
5
The Header Guard icon appears in your toolbar. Pin it via the puzzle-piece icon for quick access.
6
Visit any website and click the icon to see its security grade instantly.
⇓  Download from Chrome Web Store

3. Understanding the Score & Grade for Header Scan

Header Guard evaluates each security header individually, applies weighted scoring, and produces an overall score between 0 and 100 which maps to a letter grade:

ScoreGradeRatingRecommended Action
90 – 100AExcellentMaintain and monitor regularly
80 – 89BGoodAddress remaining low-priority gaps
70 – 79CAverageReview and fix missing headers
60 – 69DWeakPrioritise fixes urgently
50 – 59EVery WeakImmediate remediation required
0 – 49FPoor / InsecureEscalate to security team now

Grades are calculated in real time as you browse. Refreshing a page re-evaluates the headers. You may see changes after a site updates its configuration.

approximately

4. How It Works – Header Scan

When you navigate to a website, your browser and the server exchange HTTP messages. The server's response includes response headers - metadata that instructs the browser on security policies. Header Guard intercepts these headers via Chrome's webRequest API, parses them, and runs each through a scoring engine.

Headers Checked

Content-Security-Policy

Restricts where scripts, images, and resources may load from — blocking XSS and injection attacks.

🔗 OWASP Reference

Strict-Transport-Security

Forces browsers to use HTTPS exclusively, preventing protocol downgrade and man-in-the-middle attacks.

🔗 OWASP Reference

X-Frame-Options

Controls whether the page can be embedded in an iframe, protecting against clickjacking attacks.

🔗 OWASP Reference

X-Content-Type-Options

Prevents browsers from MIME-sniffing responses, reducing the risk of drive-by download attacks.

🔗 OWASP Reference

Referrer-Policy

Governs how much referrer information is shared with other sites, protecting user privacy across navigations.

🔗 OWASP Reference

Permissions-Policy

Limits browser feature access — camera, microphone, geolocation — for the page and embedded content.

🔗 OWASP Reference

5. How It Works – API Scan

The API Scan feature allows users to analyze API endpoints for common security weaknesses. The scan runs only when the user manually starts it.

The extension does not scan automatically. The user must provide an API endpoint or choose automatic detection.

API Scan Options

The extension supports two scanning modes:

🔍 Automatic API Detection

Detects API calls from the current webpage, lists discovered API endpoints, and lets the user select an endpoint to scan.

✎ Manual API Scan

User enters an API endpoint URL directly. Example: https://api.example.com/users

Running an API Scan

1
Click the extension icon in your Chrome toolbar.
2
Open the API Scan tab inside the extension.
3
Choose Auto Detect or Manual Scan mode.
4
Enter the API URL if using Manual Scan mode.
5
Click Scan API to run the analysis.
6
Review the results and generate a report if needed.

API Scan Coverage

AreaFull Pentest ToolHeader GuardCoverage
API DiscoveryFull mappingBasic detection~50%
Security HeadersFullPartial~80%
Authentication TestingDeep testingDetection only~30%
Data ExposureDeep analysisBasic checks~60%
Token SecurityDeep testingDetection only~25%
ExploitationFullNone0%
Business LogicFullNone0%

This tool provides a lightweight API security assessment and does not replace a full penetration test. The API Scan feature covers approximately 40%–50% of a typical API security assessment.

6. Buying API Keys

To purchase an API key for Header Guard, follow the steps below:

1
Go to the DodoPayments link to proceed with your purchase.
2
Complete the payment on the DodoPayments page.
3
Share the receipt of payment at support@skrenbytes.com.
4
Wait for 24 hours - your license ID will be shared back on the same email address.

7. Tips to Improve Your Score

If your site scores below an A, the following best practices will help close the gap. Each tip links to the relevant OWASP guidance for developers.

  • 🛡Implement a strict Content-Security-Policy. Define explicit allowed sources for scripts, styles, and media. Avoid unsafe-inline and unsafe-eval wherever possible.
    🔗  OWASP — CSP Cheat Sheet
  • 🛡Enable HSTS with a long max-age. Set max-age=31536000; includeSubDomains; preload and submit your domain to the HSTS preload list.
    🔗  OWASP — HSTS Cheat Sheet
  • 🛡Add X-Frame-Options: DENY or SAMEORIGIN to prevent your pages from being framed on malicious third-party sites and defend against clickjacking.
    🔗  OWASP — Clickjacking Defence
  • 🛡Set X-Content-Type-Options: nosniff — a one-liner that prevents MIME confusion attacks with essentially zero performance cost.
    🔗  OWASP — Secure Headers Project
  • 🛡Choose a restrictive Referrer-Policy such as no-referrer or strict-origin-when-cross-origin to limit information leakage on outbound links.
    🔗  OWASP — HTTP Headers Cheat Sheet
  • 🛡Define a Permissions-Policy that explicitly disables browser features your site does not use (camera, microphone, geolocation) to reduce the attack surface.
    🔗  OWASP — HTTP Headers Cheat Sheet
  • 🛡Test after every deployment. Header configurations can be overwritten by CMS updates, CDN changes, or server migrations — re-check with Header Guard regularly.
    🔗  OWASP — Secure Headers Project

Ready to Check Your Site's Security?

Install Header Guard and get your security grade in seconds — no sign-up, no data collection, no noise.

Instant Results

🔒

Privacy First

🆕

Completely Free

⇓  Get Your Header Guard Today
🔒

Header Guard Privacy Policy

📅 Effective Date: March 2026 💻 User-Activated Chrome Extension
Header Guard ("we", "our", "the extension") respects your privacy and is committed to protecting your information.
1 When the Extension Runs
+
  • Header Guard only runs when the user actively launches the extension.
  • It does not collect or analyze any data in the background.
2 Information We Collect
+
  • When launched, Header Guard checks HTTP response headers of the websites you choose to analyze.
  • No personal information (name, email, passwords, or browsing history) is collected or stored.
  • API endpoints entered by the user may be temporarily processed for scanning purposes. This information is not stored or transmitted.
3 How We Use the Information
+
  • Analysis is performed locally on your device.
  • Results (security grades and scores) remain on your device and are not sent anywhere.
4 Third-Party Services
+
  • We do not share information with any third parties.
5 Cookies & Tracking
+
  • Header Guard does not use cookies or tracking technologies.
6 Security
+
  • The extension operates entirely on your device.
  • Keep your browser and extension updated for best security.
7 Children's Privacy
+
  • Not intended for users under 13 years old.
8 API Scanning
+
  • Header Guard includes an optional API scanning feature.
  • API scans only run when initiated by the user.
  • The extension may send requests to API endpoints specified by the user for analysis.
  • These requests are made directly from the user's browser.
  • No API data is stored.
  • No API responses are transmitted to external servers.
  • All analysis is performed locally.
9 Contact
+

For questions or concerns regarding this policy, please reach out:

📧  Email: support@skrenbytes.com
🌐  Website: https://www.skrenbytes.com

10 Changes to This Policy
+
  • Updates may be made occasionally.
  • Changes will be reflected in the Chrome Web Store listing and/or within the extension.