Enter an address — we fetch it once and show which HTTP security headers are set (HSTS, CSP, X-Frame-Options and more) and how your TLS certificate is doing. With a security score and concrete pointers.
The HTTP response headers of your homepage for the key security features (HSTS, Content-Security-Policy, X-Content-Type-Options, clickjacking protection, Referrer and Permissions Policy) plus the TLS certificate (validity, days remaining).
The higher, the better — 100 means all checked headers are set. HSTS and a Content-Security-Policy matter most; they carry the highest weight. Missing “low” headers aren't a disaster, but quick to add.
A CSP is the most involved header because it has to match your site — set wrong, it blocks your own scripts. That's why it's often missing. We set it up precisely as part of maintenance.
No. We fetch the entered URL once, server-side (like a browser), and show you the result. Nothing is logged or stored.
Yes. Only publicly reachable addresses are fetched — exactly like a normal website visit. Internal or private targets (localhost, 192.168.x.x, cloud metadata) are blocked server-side.