Security Headers Checker
Missing HTTP security headers are the most commonly overlooked web-server hardening step — and they're free to fix. Enter your URL to check HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy, get a letter grade (A+ to F) and a prioritised plain-English fix list.
Header breakdown
Prioritised fixes
Excellent — all key security headers are configured correctly. Keep them in place as you deploy new features.
Use — Guide
How to use this tool
- Enter your website URL — for example, https://yourbusiness.com.au — and press "Check my headers".
- The tool fetches your site's HTTP response headers via our server-side proxy; results appear within seconds.
- Read your letter grade (A+ to F) and score out of 100 at the top of the results.
- Review the header breakdown: a Good, Warn or Missing badge for each header including HSTS, CSP, X-Frame-Options and Referrer-Policy.
- Work through the prioritised fixes list — each recommendation tells you exactly which header to add or correct on your web server.
- Send your result to Peritus Digital via the contact form if you'd like help implementing the fixes.
FAQ — Questions
Frequently asked questions
01What are HTTP security headers?
Security headers are HTTP response headers that instruct browsers how to behave when handling your site's content. They are your first line of defence against common web attacks — Cross-Site Scripting (XSS), clickjacking, MIME-type confusion and information leakage. Setting them correctly is a low-effort, high-impact hardening step that every web server should have.
02What is CSP (Content-Security-Policy) and why does it matter?
Content-Security-Policy tells the browser which sources it is allowed to load scripts, styles, images and other resources from. A properly configured CSP blocks the most common XSS attacks at the browser level — even if an attacker injects malicious code, the browser refuses to execute it. Weak policies that include "unsafe-inline" or wildcard (*) sources significantly reduce this protection.
03What is HSTS (Strict-Transport-Security) and why does it matter?
HTTP Strict Transport Security (HSTS) tells browsers to only connect to your site over HTTPS, even if a user types "http://" or clicks a plain-HTTP link. Without it, a network attacker can intercept the first HTTP request and hijack the session before a redirect to HTTPS occurs. A max-age of at least one year (31536000 seconds), plus includeSubDomains, is the recommended baseline.
04Do I need all of these headers?
Yes — each header addresses a different attack vector, and missing any one of them leaves a gap. That said, CSP and HSTS have the most impact. Start with X-Content-Type-Options (the easiest — one line) and HSTS, then work through CSP, X-Frame-Options, Referrer-Policy and Permissions-Policy. The prioritised fixes list below your result tells you exactly what to tackle first.
05Is my website data stored or logged?
No. We fetch your URL's response headers server-side and immediately return the result — nothing is stored, logged or retained. We do not crawl your site or read your content; we only inspect the headers that your web server sends in its HTTP response.
More — Keep exploring
Related free tools
Want hands-on help, not just a check? Explore ourCyber Security service.
Close these security gaps
These gaps leave you exposed — let's close them.
Our Newcastle team implements the fixes identified above — configuring your web server's security headers correctly the first time, closing each gap from the list above, and setting up monitoring so they don't drift. Most headers can be added in hours, not weeks. Send your result through and we'll come back with clear next steps.
Prefer to talk? Call 02 4081 9500.
