Security headers check
Test which security headers your site sends — HSTS, Content-Security-Policy, clickjacking protection, nosniff, CORS, version leaks — with a pass/fail per header and what each one means, in plain English.
The cheapest security wins a website has
Security headers are one-line instructions to the browser, and each closes a real attack class: HSTS ends protocol-downgrade attacks, a CSP makes injected scripts simply not run, frame protection kills clickjacking. They take minutes to add and cost nothing at runtime — which is why missing them reads as a signal. It's the first thing anyone probing your site checks, precisely because it's the first thing shipped-in-a-weekend apps skip.
Headers are one layer. The free report checks the rest.
Run the full scan free — TLS, cookies, DNS, exposed subdomains, email spoofing protection and more, graded A to F, with a copy-paste fix for every finding.
Security headers, answered
What are security headers?
Which security headers do I actually need?
What is HSTS and do I need it?
What is a Content-Security-Policy?
How do I add security headers in Next.js?
Do security headers affect SEO?
one request to your site · we read response headers, the same thing every browser does · nothing stored