Website Security Scanner
Scan any website for security headers and vulnerabilities
Website Security Scanner
Scan any website for security headers
6 Security Headers
HSTS, CSP, X-Frame-Options, and more
A-F Security Grade
Clear score with recommendations
How to Use
- 1 Enter the website URL you want to scan
- 2 Click "Scan Website" to analyze security headers
- 3 View your security grade (A+ to F) and individual header results
- 4 Expand "How to Fix" for ready-to-use code snippets
- 5 Implement the recommended headers on your server
What You Get
Free security headers scanner that checks HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Provides a security grade and fix code for nginx, Apache, Express, and Cloudflare.
Input: https://example.com
Output: Security grade B+ with 6 header checks and fix recommendations
Input: Your company website URL
Output: Detailed report showing missing headers and how to add them
Input: Competitor website scan
Output: Compare security posture and identify improvements
How do I check if my website has security headers?
Enter your website URL in the scanner above and click "Scan Website". The tool will check for essential security headers like HSTS, CSP, X-Frame-Options, and more. You'll get a grade (A+ to F) and see exactly which headers are present or missing.
What security headers should every website have?
Every website should have: Strict-Transport-Security (HSTS) to force HTTPS, Content-Security-Policy (CSP) to prevent XSS attacks, X-Frame-Options to block clickjacking, X-Content-Type-Options set to "nosniff", Referrer-Policy to control referrer leakage, and Permissions-Policy to restrict browser features.
How do I add security headers to my website?
The method depends on your server: For nginx, add "add_header" directives to your server block. For Apache, use "Header set" in .htaccess. For Node.js/Express, use the helmet middleware. For Cloudflare, use Workers or Page Rules. Use our "How to Fix" section for ready-to-copy code.
What is HSTS and why is it important?
HTTP Strict Transport Security (HSTS) tells browsers to only connect to your site via HTTPS. This prevents downgrade attacks where an attacker forces HTTP connections to intercept traffic. Add the header: Strict-Transport-Security: max-age=31536000; includeSubDomains
What is Content-Security-Policy (CSP)?
CSP is a security header that controls which resources (scripts, styles, images) can load on your page. It prevents cross-site scripting (XSS) attacks by blocking inline scripts and unauthorized external resources. Start with a basic policy like: Content-Security-Policy: default-src 'self'
Why is my website showing X-Powered-By header?
The X-Powered-By header reveals your server technology (e.g., "Express", "PHP/7.4"). This helps attackers target known vulnerabilities. Remove it: In Express, use helmet() or app.disable('x-powered-by'). In PHP, set expose_php = Off in php.ini. In nginx, this header shouldn't appear by default.
Is this website security scanner free?
Yes, 100% free with no limits. Scan unlimited websites, see all security headers, and get fix recommendations for nginx, Apache, Express, and Cloudflare. No signup required, no watermarks.
Does scanning my website expose any data?
No. We only make a HEAD request to fetch response headers. No page content, forms, or user data is accessed. Your URL is not stored or logged. All analysis happens securely on our servers with the results displayed only to you.
We only fetch HTTP headers via a HEAD request. No page content or user data is accessed.