Free Website Security Scanner - Check Your Security Headers
Enter any URL to scan its security headers and HTTPS configuration. We check for HSTS, Content Security Policy, X-Frame-Options, and other critical protections that defend against common web attacks. Free and instant.
This tool checks publicly visible security headers. It is not a penetration test or comprehensive security audit. Consult a security professional for thorough assessments.
Security Headers We Analyze
Each security header protects against a specific class of web attack. Here is what we check and why each header matters for your website's security.
HTTPS & SSL/TLS
HTTPS encrypts data between your visitors and your server, protecting sensitive information from interception. We verify that your site serves content over HTTPS, that your SSL certificate is valid and not expired, and that HTTP requests properly redirect to HTTPS. Without HTTPS, browsers display 'Not Secure' warnings that drive visitors away, and Google uses HTTPS as a ranking signal.
HTTP Strict Transport Security (HSTS)
HSTS tells browsers to always connect to your site over HTTPS, even if a user types http:// in their address bar. We check for the Strict-Transport-Security header, verify its max-age is at least one year (31536000 seconds), and check for the includeSubDomains and preload directives. HSTS prevents SSL-stripping attacks where an attacker downgrades a secure connection to an insecure one.
Content Security Policy (CSP)
A Content Security Policy defines which sources of content are allowed to load on your page. We check for the Content-Security-Policy header and evaluate its directives. A well-configured CSP is your strongest defense against cross-site scripting (XSS) attacks, clickjacking, and other code injection attacks. Even a basic CSP is significantly better than none at all.
X-Frame-Options
The X-Frame-Options header prevents your site from being embedded in iframes on other domains, protecting against clickjacking attacks. We verify the header is present and set to DENY or SAMEORIGIN. Without this protection, attackers can overlay invisible frames on top of your site to trick users into clicking malicious buttons or links.
X-Content-Type-Options
The X-Content-Type-Options header with the value 'nosniff' prevents browsers from MIME-type sniffing, which can turn non-executable MIME types into executable ones. We verify this header is present and properly configured. This stops attacks where malicious content is disguised as a harmless file type like a text file or image.
Referrer Policy
The Referrer-Policy header controls how much referrer information is sent with requests from your site. We check for this header and evaluate whether the policy appropriately limits information leakage. A strict referrer policy prevents sensitive URL parameters and paths from being leaked to third-party sites when users click external links.
Permissions Policy
The Permissions-Policy header (formerly Feature-Policy) controls which browser features your site can use, such as camera, microphone, geolocation, and payment APIs. We check for this header and verify it restricts unnecessary feature access. This prevents malicious scripts from silently accessing powerful browser APIs on your visitors' devices.
Mixed Content Detection
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over insecure HTTP connections. We scan for mixed content warnings that weaken your HTTPS protection. Even a single HTTP resource on an HTTPS page can be intercepted and modified by attackers, potentially compromising the entire page.
Security Scanner FAQ
Common questions about website security headers and our scanning tool
What does a website security scanner check?
Our scanner analyzes your website's publicly visible security headers and HTTPS configuration. This includes HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and mixed content detection. These headers are the first line of defense against common web attacks.
Is my website vulnerable if it fails these checks?
Missing security headers mean your site lacks important protections against common attacks like cross-site scripting, clickjacking, and man-in-the-middle attacks. While this doesn't guarantee you'll be attacked, it means you're relying on other layers of defense. Adding these headers is straightforward and significantly improves your security posture.
How do I add security headers to my website?
Security headers are typically added in your web server configuration (Apache, Nginx), your CDN settings (Cloudflare, AWS CloudFront), or your application framework's middleware. Each header requires just one line of configuration. Our scan results include specific recommendations for the headers you're missing.
Does this replace a professional security audit?
No. Our tool checks publicly visible security headers, which is one important layer of website security. A comprehensive security audit also includes penetration testing, code review, server configuration analysis, and more. Use our tool to quickly check your headers, and engage security professionals for thorough assessments.
How often should I scan my security headers?
Scan after any server configuration change, deployment, or CDN update, as these can inadvertently remove or modify security headers. Your full report purchase includes free rescans of the same URL to verify your fixes.
Get Your Full Security Report
Unlock your complete security report with detailed findings across all categories - SEO, performance, security, and accessibility - plus a downloadable PDF. One-time purchase, $29.