Website Security Scanner

Analyze any public URL for HTTP security headers, HTTPS enforcement, and information leakage. Results are fetched server-side: the target site is contacted once.

Only public URLs are allowed. Private IPs and local hostnames are blocked.

Why HTTP security headers matter

HTTP security headers are a first line of defence against common web attacks including Cross-Site Scripting (XSS), clickjacking, MIME type confusion, and SSL stripping. They are server-sent HTTP response headers that instruct browsers how to behave when handling your site's content.

This scanner fetches the HTTP response from your target URL server-side and analyses the headers present, producing a security score and letter grade. Each missing header comes with a plain-English explanation of the risk and a recommended value you can copy directly into your server configuration.

Step-by-step guide

  1. 1
    Enter a URL
    Type or paste the full URL of the website you want to scan, including https:// or http://. Only public URLs are supported.
  2. 2
    Click Scan
    The tool makes a server-side HTTP request to the target URL and retrieves the response headers. The target site is contacted once.
  3. 3
    Review the security score
    A score from 0–100 and a letter grade (A+ to F) are calculated based on which security headers are present and whether HTTPS is enforced.
  4. 4
    Check individual headers
    Each security header is listed with a pass/fail indicator, point value, description of what it does, and a recommendation if missing.
  5. 5
    Address information leakage
    The Information Leakage section shows headers that expose server or framework version information, which should be removed in production.

Related Tools

Frequently Asked Questions

What headers are checked?
The scanner checks for Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy.
What is the scoring methodology?
Each security header has a point value based on its importance. Points are awarded for each present header and deducted if the site does not use HTTPS. The final score is expressed as a percentage with letter grades from A+ (90+) to F (below 50).
Why can I only scan public URLs?
The scanner makes a real HTTP request to the target URL. Private IP addresses, localhost, and local hostnames are blocked to prevent server-side request forgery (SSRF) attacks.
What is Content-Security-Policy and why is it important?
Content-Security-Policy (CSP) is the most powerful security header. It tells browsers which sources are allowed for scripts, styles, images, and other resources, preventing Cross-Site Scripting (XSS) attacks by blocking unauthorised script execution.
What does Strict-Transport-Security do?
HSTS tells browsers to always use HTTPS when connecting to your site for a specified period (max-age). This prevents SSL stripping attacks where an attacker downgrades the connection to unencrypted HTTP.
What is information leakage and why does it matter?
Headers like Server: Apache/2.4.41 or X-Powered-By: PHP/8.1 expose your technology stack to attackers. This information helps attackers target known vulnerabilities in specific software versions.
My site scored low. Where do I start?
Start with HTTPS enforcement and HSTS if not present: these protect against the most common attacks. Then add X-Content-Type-Options: nosniff and X-Frame-Options: DENY, which are easy one-liners. CSP requires more planning but provides the strongest protection.
How do I add security headers to my site?
The method depends on your stack. For Nginx: add_header directives. For Apache: Header always set in .htaccess or server config. For Next.js: use the headers() function in next.config.js. For Express: use the Helmet middleware.
Does the scanner test SSL/TLS configuration?
The scanner verifies whether the site responds over HTTPS and includes this in the score, but it does not perform a deep TLS audit (cipher suites, certificate validity, etc.). Use dedicated TLS testing tools like SSL Labs for comprehensive TLS analysis.

AlteredIdea vs alternatives

vs server-side tools: Everything runs in your browser: your data never leaves your device.

vs command-line tools: No setup needed. Works instantly in any browser.

vs paid tools: Completely free, no account required.