Pinglyra
Free tool

Check a website's HTTP security headers

See which HTTP security headers a site sends and which are missing, then get a full free website scan with an explainable risk score.

Passive, read-only check. Private & internal addresses are blocked.
Quick answer

What does a security headers checker do?

A security headers checker reads the HTTP response headers a website returns and reports which protective headers — such as HSTS, Content-Security-Policy, X-Frame-Options and X-Content-Type-Options — are present or missing. SiteGuard Monitor's checker shows your headers alongside SSL, DNS, email security and uptime in one explainable 0-100 risk score.

Missing HTTP security headers leave sites open to clickjacking, content sniffing and downgrade attacks — yet they're invisible in a browser. This free security headers checker shows exactly which protective headers a site sends and which gaps are worth closing.

Why security headers get overlooked

Headers don't change how a site looks, so they're easy to forget — especially after a redesign or platform migration. The result is sites that work fine but quietly miss protections against framing, MIME sniffing and protocol downgrade.

  • No HSTS leaves users exposed to HTTPS downgrade
  • A missing X-Frame-Options or CSP frame-ancestors allows clickjacking
  • No X-Content-Type-Options permits MIME-type sniffing

Headers this tool checks

  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy (CSP)
  • X-Frame-Options and frame-ancestors
  • X-Content-Type-Options and Referrer-Policy

Headers as part of the full risk score

Header coverage is one input into the bigger picture. This tool runs a complete free scan, so the headers appear next to the SSL certificate, DNS records, SPF and DMARC, and uptime — combined into one 0-100 risk score that shows where to focus first.

Keep headers in place after every deploy

Deployments and config changes silently drop headers all the time. Add a domain to SiteGuard Monitor and header coverage is tracked, so a regression triggers an alert and shows up in your branded monthly report.

  • Ongoing monitoring of security-header coverage
  • Alerts when protective headers disappear
  • Header status included in client reports

Passive, read-only inspection

Checking headers means reading a normal HTTP response — nothing more. SiteGuard performs no payload injection, fuzzing or aggressive scanning; it simply records the headers your server already returns.

Frequently asked questions

Is this security headers checker free?
Yes. You can check any site's HTTP security headers for free with no account. A free SiteGuard account adds continuous monitoring and alerts when headers change.
Which security headers should every site have?
At minimum, Strict-Transport-Security, a Content-Security-Policy, X-Content-Type-Options and protection against framing via X-Frame-Options or CSP frame-ancestors. The right CSP depends on the site, but the others apply broadly.
Will missing headers hurt my SEO or trust?
Missing headers mainly affect security rather than rankings, but they leave visitors exposed to attacks like clickjacking and downgrade. For client sites, demonstrating proper headers is a clear, professional trust signal.
Does this checker test for vulnerabilities?
No. It reads the HTTP response headers your server returns — it doesn't probe, inject payloads or run intrusive vulnerability tests. It's a passive, read-only check.
Why did my headers disappear after a deploy?
Headers are often set in server or proxy config that gets overwritten during deployments or platform changes. Continuous monitoring is the reliable way to catch these silent regressions.
Can SiteGuard alert me if a header is removed?
Yes. Add the domain to monitoring and a dropped or weakened security header triggers an email and Discord alert and appears in your monthly client report.

More free checks

Security headers monitoring →SSL expiry checker →Website risk score checker →HTTP status checker →Free website scan →Features →

Turn this one-off check into 24/7 monitoring

Get alerted the moment something changes — and send your clients branded monthly reports automatically.

Start monitoring free For agencies