Security Headers Checker

HTTP security headers are the cheapest defence-in-depth layer you can ship. They cost nothing at runtime, they're configured once in your reverse proxy or framework, and they neutralize entire vulnerability classes — clickjacking, MIME-sniffing attacks, mixed-content downgrades, cross-origin leaks. Despite this, the majority of sites we scan are missing at least three critical headers.

Our checker fetches your homepage with a single HTTPS request and inspects every response header. We grade each header on what it actually does, not just presence: an HSTS header with `max-age=0` is worse than missing entirely (it actively clears the browser's HTTPS pin); a Content-Security-Policy with `script-src 'unsafe-inline' 'unsafe-eval' *` provides zero protection against XSS; an X-Frame-Options of `ALLOW-FROM` is silently ignored by modern browsers (only `DENY` and `SAMEORIGIN` work).

Common quick wins: add `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` and submit to hstspreload.org; add `X-Content-Type-Options: nosniff` (literally one line); set `Referrer-Policy: strict-origin-when-cross-origin` to stop leaking full URLs to third-party assets; add a baseline `Content-Security-Policy` even if you start with `script-src 'self' 'unsafe-inline'` and tighten over time. For modern frameworks (Next.js, Nuxt, SvelteKit) most of this is a `next.config.js` / equivalent edit.

If you deploy behind Cloudflare, Vercel or Netlify, headers are often configured at the edge — check that your origin and edge agree. We've seen sites where the framework sends a great CSP and the CDN strips it. Run a full SteelSuit scan to also get CORS validation, mixed-content detection, cookie security flags and CSP source-list evaluation against your loaded assets.