The right HTTP security headers stop whole classes of attacks — clickjacking, protocol downgrade, mixed content. We check your headers and show exactly what's missing and why it matters.
Run a free domain scan All checks →We fetch your response headers and check HSTS (and preload), Content-Security-Policy, X-Frame-Options/frame-ancestors, X-Content-Type-Options, Referrer-Policy and CORS configuration — plus that sensitive headers don't leak server versions.
Security headers are cheap to set and stop real attacks: HSTS prevents downgrade to HTTP, CSP limits XSS, X-Frame-Options stops clickjacking. Their absence is also one of the most common findings in a technical audit.
default-src?Access-Control-Allow-Origin: * with credentials)Access-Control-Allow-Origin: * together with credentialsDoes it affect my site?
The check is passive — we only read response headers from your public endpoint. No changes are made.
Is CSP hard?
Getting started is easy; locking it down tightly takes iteration. We give you a starter policy and point out what protects most first.
What matters most?
HSTS and X-Content-Type-Options are easiest to set; CSP gives the most protection but takes the most work. The report prioritises for you.
Run a free scan or order a full Security Assessment — prioritised, not noise.
Run a free domain scan