Free tool
Is your site
actually secure
Paste a URL. Get a free security score and three personalized fixes you can hand to whoever maintains your site. About five seconds.
Why this matters
Most small business sites are graded F by browsers.
Security headers are the cheapest, highest-leverage protection a website has. They tell browsers to enforce HTTPS, block clickjacking, prevent MIME sniffing, and stop scripts from running unless explicitly allowed. They cost nothing to add. Most sites have none of them. Attackers run the same scan you're about to run, every day, looking for the easy targets.
What this scan does
Shows you what an attacker sees first.
We fetch your site exactly the way a browser would, read the response headers, and grade them against the OWASP secure-headers project's recommendations. Then we give you the three biggest fixes in plain English, with the exact value to use. Same checks securityheaders.com runs, plus edge WAF detection.
How this scan works
What this scan covers, and what it doesn't
The scan makes one HTTPS request, reads the response headers, and runs twelve security checks weighted by impact. Honest about what it catches and what it can't.
What this scan checks
- HTTPS available and HTTP redirects to HTTPS
- HSTS with preload eligibility
- X-Frame-Options or CSP frame-ancestors
- X-Content-Type-Options nosniff
- Referrer-Policy
- Permissions-Policy
- Content Security Policy and unsafe-* directives
- Cross-Origin-Opener-Policy
- Cross-Origin-Embedder-Policy
- Cross-Origin-Resource-Policy
- Server / X-Powered-By version exposure
- Edge CDN / WAF detection (Vercel, Cloudflare, Sucuri)
What this scan doesn't
- Open ports and origin server scans
- Vulnerability matching against CVE databases
- Stack-specific configuration audits
- TLS cipher suite grading
- DNS / email security (SPF, DKIM, DMARC, CAA)
A full audit catches the rest. Stack-aware config review, CSP tuning, and origin hardening.
Get a full security audit →