Free website security scanner

Check 10 security headers and settings that protect your visitors. No signup required, results in under 60 seconds.

Start 7-Day Studio Trial

No signup required. Results in under 60 seconds.

423,000+ checks run and counting

What we check

Missing security headers leave sites open to attacks. Most fixes take just a few minutes to add through your server or CDN. But you need to know what is missing first. A quick scan tells you where to start.

Browsers check for these headers every time a page loads. When they are missing, the browser falls back to weaker rules. That gives bad actors more room to act. Adding the right headers is one of the fastest ways to keep your site safe.

HTTPS Enabled

Checks if the site loads over HTTPS. Sites on HTTP show a 'Not Secure' tag in the browser. That warning turns visitors away.

Strict Transport Security (HSTS)

Looks for a header that forces safe links. Without it, browsers may try the old HTTP path first.

SSL Certificate Valid

Checks if the SSL cert is current. An expired cert shows a big browser warning that blocks visitors from your site.

Mixed Content

Flags files loaded over HTTP on HTTPS pages. This breaks the lock icon in the browser and lowers trust.

Content Security Policy

Looks for a header that limits where scripts can load from. This blocks most script attacks on your pages.

Clickjacking Protection

Checks if your site blocks framing by other sites. This stops bad actors from hiding your page inside a fake one.

MIME-Type Sniffing Protection

Looks for the nosniff header. Without it, browsers may treat files as the wrong type and run unsafe code.

Referrer Policy

Checks for a header that limits what URL data gets shared with other sites. This keeps user paths more private.

Cross-Origin Opener Policy

Looks for a header that keeps your window safe from scripts on other sites. A small setting with a big impact.

Browser Permissions Policy

Checks for a header that limits which browser tools your site can use. This cuts the ways bad actors can attack.

These 10 checks cover the security headers and settings that every public website should have. Most can be added in a few lines of server config. Run a scan to find what you're missing and get fix steps for each one.

You do not need to be a security expert to fix these issues. Each finding tells you which header to add and what it does. If you use a CDN like Cloudflare, many headers can be set with a toggle.

What to fix first

  • HTTPS Enabled: Checks if the site loads over HTTPS. Sites on HTTP show a 'Not Secure' tag in the browser. That warning turns visitors away.
  • Strict Transport Security (HSTS): Looks for a header that forces safe links. Without it, browsers may try the old HTTP path first.
  • SSL Certificate Valid: Checks if the SSL cert is current. An expired cert shows a big browser warning that blocks visitors from your site.

How to use this audit

  1. Run the scan and identify which warnings appear across several pages, not just one template.
  2. Fix the problems that affect visibility, trust, or conversion first, then move on to polish items.
  3. Re-scan after each batch of changes so you can confirm the issue count actually drops.

Why this matters in the full scan

This category is most useful when you review it alongside the other six. A site can look good in one area and still lose traffic or trust because another area is weak. SiteCurl keeps these checks together so teams can work from one prioritized report instead of juggling separate tools.

Example findings from a scan

No Content Security Policy header found

HSTS header missing on main domain

Mixed content: 2 images loaded over HTTP

See how teams use SiteCurl:

For E-commerce For SaaS For Agencies

Deep dives for common findings:

HTTPS Enabled Strict Transport Security (HSTS) Mixed Content

Frequently asked questions

What security checks does SiteCurl run?

SiteCurl checks HTTPS, HSTS, SSL certs, mixed content, CSP, clickjacking, MIME sniffing, referrer policy, COOP, and permissions policy. Ten checks in total.

Does SiteCurl find malware or vulnerabilities?

No. SiteCurl checks HTTP security headers and settings. It does not scan for malware, SQL injection, or app-level flaws.

How do I fix a missing security header?

Most headers can be added through your web server or CDN. Each finding in SiteCurl includes a tip with the header name and what value to set.

Can I scan more than one page?

The free audit checks your home page. With a paid plan, you can scan up to 100 pages and get email alerts when security issues appear.

Why do security headers matter for SEO?

Search engines favor sites that use HTTPS and have good security practices. Missing headers can also hurt user trust, which leads to higher bounce rates.

How often should I check my security headers?

Monthly is a good start. Server updates and config changes can remove headers. Set up a weekly scan to catch changes early.

Scan your site for security issues

Run audit See a sample report