Missing security headers are low-hanging fruit for attackers — and regulators. Fix them in minutes.
Check My SecurityS01
All pages must be served over HTTPS. HTTP-only pages expose visitor data in transit.
S02
HSTS instructs browsers to only use HTTPS. Without it, users are vulnerable to protocol downgrade attacks.
S03
Prevents MIME-type sniffing attacks. Should be set to "nosniff" on all responses.
S04
The most powerful XSS mitigation header. Controls which resources browsers are allowed to load.
S05
Prevents your site from being embedded in iframes — blocking clickjacking attacks.
S06
Controls how much URL information is sent when visitors navigate away. Prevents sensitive URL leakage.
S07
Open directory indexes expose your file structure to anyone. We check for this common misconfiguration.