Website Security Scanner
Analyze any public URL for HTTP security headers, HTTPS enforcement, and information leakage. Results are fetched server-side: the target site is contacted once.
Only public URLs are allowed. Private IPs and local hostnames are blocked.
Why HTTP security headers matter
HTTP security headers are a first line of defence against common web attacks including Cross-Site Scripting (XSS), clickjacking, MIME type confusion, and SSL stripping. They are server-sent HTTP response headers that instruct browsers how to behave when handling your site's content.
This scanner fetches the HTTP response from your target URL server-side and analyses the headers present, producing a security score and letter grade. Each missing header comes with a plain-English explanation of the risk and a recommended value you can copy directly into your server configuration.
Step-by-step guide
- 1Enter a URL
Type or paste the full URL of the website you want to scan, including https:// or http://. Only public URLs are supported. - 2Click Scan
The tool makes a server-side HTTP request to the target URL and retrieves the response headers. The target site is contacted once. - 3Review the security score
A score from 0–100 and a letter grade (A+ to F) are calculated based on which security headers are present and whether HTTPS is enforced. - 4Check individual headers
Each security header is listed with a pass/fail indicator, point value, description of what it does, and a recommendation if missing. - 5Address information leakage
The Information Leakage section shows headers that expose server or framework version information, which should be removed in production.
Related Tools
Hash Generator
Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files. All hashes shown simultaneously with one-click copy.
HMAC Generator
Generate HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 message authentication codes with a secret key.
Password Strength
Analyze password entropy, character composition, and estimated crack time across different attack scenarios.
AES Encrypt / Decrypt
Encrypt and decrypt text with AES-256-GCM. Password-derived key via PBKDF2. Output includes salt and IV: fully self-contained.
Frequently Asked Questions
- What headers are checked?
- The scanner checks for Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy.
- What is the scoring methodology?
- Each security header has a point value based on its importance. Points are awarded for each present header and deducted if the site does not use HTTPS. The final score is expressed as a percentage with letter grades from A+ (90+) to F (below 50).
- Why can I only scan public URLs?
- The scanner makes a real HTTP request to the target URL. Private IP addresses, localhost, and local hostnames are blocked to prevent server-side request forgery (SSRF) attacks.
- What is Content-Security-Policy and why is it important?
- Content-Security-Policy (CSP) is the most powerful security header. It tells browsers which sources are allowed for scripts, styles, images, and other resources, preventing Cross-Site Scripting (XSS) attacks by blocking unauthorised script execution.
- What does Strict-Transport-Security do?
- HSTS tells browsers to always use HTTPS when connecting to your site for a specified period (max-age). This prevents SSL stripping attacks where an attacker downgrades the connection to unencrypted HTTP.
- What is information leakage and why does it matter?
- Headers like Server: Apache/2.4.41 or X-Powered-By: PHP/8.1 expose your technology stack to attackers. This information helps attackers target known vulnerabilities in specific software versions.
- My site scored low. Where do I start?
- Start with HTTPS enforcement and HSTS if not present: these protect against the most common attacks. Then add X-Content-Type-Options: nosniff and X-Frame-Options: DENY, which are easy one-liners. CSP requires more planning but provides the strongest protection.
- How do I add security headers to my site?
- The method depends on your stack. For Nginx: add_header directives. For Apache: Header always set in .htaccess or server config. For Next.js: use the headers() function in next.config.js. For Express: use the Helmet middleware.
- Does the scanner test SSL/TLS configuration?
- The scanner verifies whether the site responds over HTTPS and includes this in the score, but it does not perform a deep TLS audit (cipher suites, certificate validity, etc.). Use dedicated TLS testing tools like SSL Labs for comprehensive TLS analysis.
AlteredIdea vs alternatives
vs server-side tools: Everything runs in your browser: your data never leaves your device.
vs command-line tools: No setup needed. Works instantly in any browser.
vs paid tools: Completely free, no account required.