Security Scanner
Analyze your website security: headers, HTTPS, cookies, and information disclosure checks
Security scanner checks all critical HTTP defense headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS. Returns a grade A–F and a vulnerability list. Detects common issues: server leaks, missing HSTS, clickjacking exposure, MIME sniffing, mixed content.
Want a weekly re-check of this?
Drop your email — we will re-run this check every 7 days and alert you if anything degrades (SSL expiry, DNS change, header regression). Free.
One-click unsubscribe in every email. We never share email addresses. By subscribing you agree to our privacy policy.
Why teams trust us
How it works
Enter site URL
Security headers analyzed
Get grade A–F
What Does the Security Analysis Check?
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Header Analysis
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
SSL Check
TLS version, certificate expiry, chain of trust, HSTS support.
Leak Detection
Finding exposed server versions, debug modes, open configs, and directories.
Report with Recommendations
Detailed report explaining each issue with specific steps to fix it.
Who uses this
Security teams
HTTP header audit
DevOps
config verification
Developers
CSP & HSTS setup
Auditors
compliance checks
Common Mistakes
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Best Practices
Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Get more with a free account
Security check history and HTTP security header monitoring.
Sign up freeWebsite Security Check
The security check tool analyzes HTTP response headers and evaluates the website protection level. Key security headers are checked: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Use this tool to audit security headers before launching a website, after server migration, or as part of regular security reviews. Each header is scored individually, and you receive a total security grade from A+ to F. The tool checks for common misconfigurations such as missing HSTS, overly permissive CSP, missing clickjacking protection, and outdated X-XSS-Protection headers.
For deeper analysis, combine with our SSL certificate checker to verify TLS configuration and HTTP headers reference to understand each header's purpose. Regular security header monitoring helps maintain compliance with OWASP recommendations and protects your users from XSS, clickjacking, and data injection attacks.
Learn more
Frequently Asked Questions
Which security headers are most important?
Top 5 essential headers: Content-Security-Policy (XSS protection), Strict-Transport-Security (forced HTTPS), X-Content-Type-Options (nosniff), X-Frame-Options (clickjacking protection), Permissions-Policy (API restrictions).
How to add security headers?
In nginx, add add_header in the server block. In Apache, use Header set in .htaccess or config. In PHP, use the header() function. For Cloudflare, use Transform Rules. Verify the result with our tool after configuration.
What does a high security score give?
A high security score means your site is protected against major web vulnerabilities. This increases user trust, improves SEO (Google considers HTTPS and headers), and reduces the risk of hacking and data leaks.
What is Content-Security-Policy?
CSP is a header that defines where the browser can load resources from (scripts, styles, images). Primary protection against XSS attacks. Example: default-src 'self' blocks all external resources.
How to protect a site from clickjacking?
Use the X-Frame-Options: DENY or SAMEORIGIN header to prevent embedding your site in iframes on other domains. The modern alternative is CSP with the frame-ancestors directive.
Why is X-Content-Type-Options needed?
The X-Content-Type-Options: nosniff header prevents the browser from "guessing" the MIME type of a file. Without it, the browser may interpret a text file as a script, creating a vulnerability to MIME-sniffing attacks.
What is Permissions-Policy?
Permissions-Policy (formerly Feature-Policy) is a header that controls access to browser APIs: camera, microphone, geolocation, autoplay. It is recommended to disable unused APIs to minimize the attack surface.
Related guides
Longer-form reading on this topic from the knowledge base.
Security audit on a schedule
Automatic HTTPS / header / cookie checks — weekly report or on change.