Check your website's security headers for free

Enter any URL and get an instant analysis of HTTP security headers, TLS configuration, DNS records, and cookie security. No account needed, no limits on free scans.

Check your headers now
15+Headers analyzed
FreeNo account needed
<5sResults delivered
Check any website's security headers in seconds. No signup, no rate limits, no waiting.

Comprehensive header analysis in one scan

Every scan evaluates over 15 HTTP security headers and grades each one individually. Instead of just telling you whether a header is present, the scanner checks how well it is configured. A misconfigured Content-Security-Policy can be worse than having none at all, so configuration quality matters as much as presence.

Scan Result

https://example.com

78/100

Grade: B+

Content-Security-Policy Present
Strict-Transport-Security Present
X-Frame-Options Present
Permissions-Policy Missing
X-Content-Type-Options Present
Referrer-Policy Present

Beyond headers: TLS, DNS, and cookies

Security headers are only one layer of your website's defenses. Each scan also evaluates your TLS/SSL certificate and protocol configuration, DNS security records like DNSSEC and CAA, cookie attributes including Secure, HttpOnly, and SameSite flags, and a detailed breakdown of your Content-Security-Policy directives. You get a complete picture from a single scan.

Analysis Coverage

Security Headers

15+ HTTP response headers evaluated and graded

TLS/SSL

Certificate validity, protocol version, and cipher strength

DNS Security

DNSSEC, CAA records, and zone configuration

Cookie Audit

Secure, HttpOnly, SameSite flags on all cookies

CSP Deep Dive

Directive analysis, unsafe sources, and policy quality

Actionable recommendations with priority

The scanner does not just list problems. Every finding comes with a clear explanation of the risk, a severity level, and step by step instructions for how to fix it. Recommendations are sorted by impact so you know which changes will improve your score the most. Whether you are on Apache, Nginx, or a CDN, the fix guidance adapts to your setup.

Recommended Fixes

Add Content-Security-Policy

Define allowed content sources to prevent XSS attacks.

Enable HSTS preload

Submit your domain to the HSTS preload list for maximum protection.

Set SameSite on cookies

Add the SameSite attribute to prevent cross-site request forgery.

How it works

01

Enter your website URL

Paste any publicly accessible URL. No account or signup required.

02

Review your security score and findings

See your overall grade, individual header results, and a full breakdown of TLS, DNS, and cookie security.

03

Follow prioritized recommendations to improve

Each finding includes severity, impact, and clear instructions to fix the issue.

Frequently asked questions

Is this security headers checker really free?

Yes. You can scan any website as many times as you need without creating an account or entering payment details. Free scans include the full security headers analysis, TLS check, DNS evaluation, cookie audit, and CSP deep dive. There are no daily limits on free scans. Premium features like PDF report export, daily monitoring, and API access are available on paid plans, but the core scanner is completely free.

What security headers does this tool check?

The scanner evaluates over 15 HTTP security headers including Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Resource-Policy (CORP), Cache-Control, and more. Each header is graded individually based on whether it is present and how well it is configured.

How is the security score calculated?

Your score reflects multiple dimensions of your website's security posture. It accounts for which security headers are present, the quality of their configuration, your TLS/SSL setup, DNS security records, and cookie security attributes. Headers that protect against critical vulnerabilities carry more weight. The score is designed to give a practical, actionable summary rather than a pass/fail verdict, so you can prioritize the most impactful improvements first.

Can I scan internal or authenticated pages?

The web scanner checks publicly accessible URLs, so it cannot reach pages behind a login or on a private network. For internal or authenticated pages, you can use the SiteSecurityScore Chrome extension, which runs the analysis directly in your browser session. This means it can scan pages you are already logged into, internal tools, staging environments, and localhost applications.

Related use cases

Security AuditCI/CD Security TestingCompliance Audits

Check your security headers now

Free, instant results. Enter any URL and see your security score in seconds.

Scan your site free