Public signal checker

Security Header Checker

This checker looks at response headers from the public homepage and explains which common browser-side safeguards are visible.

The check uses public live signals and does not make a security, malware, fraud or legal verdict.

Run a public signal check

  • HTTP
  • DNS
  • TLS
  • RDAP
  • Archive

Paths, query strings and fragments are removed before analysis. Only public http and https hosts are accepted.

What this checker analyzes

  • Strict-Transport-Security, Content-Security-Policy and X-Content-Type-Options.
  • Referrer-Policy, Permissions-Policy and X-Frame-Options.
  • Header values are shown as technical evidence when available.

Why it matters

  • Security headers can reduce common browser-side risks and clarify allowed resource behavior.
  • They are especially useful for login areas, SaaS products, shops and forms.

What the results mean

  • Present means the public response included that header.
  • Missing means the header was not visible on the checked response.
  • Review needed is not a verdict; it means the header strategy deserves context.

Limits of this check

  • The checker does not test whether a policy is correct for every route.
  • A header can exist on one page and not another.
  • This is not a penetration test or security guarantee.
What should also be reviewed manually?

Review notable values in the context of the actual website, its subpages and connected services. A homepage check cannot prove the complete configuration, legal position or security posture.

FAQ

Is a missing CSP always a problem?

No. CSP rollout depends on the application, but it is often worth planning for sites with scripts, forms or accounts.

Glossary

Related checkers

Guide & example

Open the demo report

Check a website before buying