Tools

Security headers checker

Grade a site's HTTP security headers, from HSTS to Content-Security-Policy.

Enter a URL and we read its response headers and grade it against the security headers that harden a visitor's browser session, showing which are present and which are missing.

What this checks

  • Strict-Transport-Security (HSTS), which forces browsers to stay on HTTPS.
  • Content-Security-Policy, which limits what can run on the page to curb cross-site scripting.
  • X-Frame-Options and X-Content-Type-Options, which block clickjacking and MIME sniffing.
  • Referrer-Policy and Permissions-Policy, which control what the page leaks and what it can use.

Why it matters

Security headers are defence in depth. None of them fixes a bug on their own, but together they shut down whole classes of attack: clickjacking, protocol downgrade, content-type confusion, and script injection. They are cheap to add and easy to forget, which is why so many sites are missing them. A missing header is not an outage, so this check stays advisory, but closing the gaps is low-effort, high-value hardening.

Frequently asked questions

Can't find your answer? Get in touch.

This is a one-time snapshot.

Ranetrace runs this check around the clock and tells you the moment something changes, so you hear about a problem before your visitors do. Monitoring for Laravel and PHP apps, from the outside and the inside.