Security Headers Checker

Missing HTTP security headers are the most commonly overlooked web-server hardening step — and they're free to fix. Enter your URL to check HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy, get a letter grade (A+ to F) and a prioritised plain-English fix list.


Enter your site URL — e.g. https://yourbusiness.com.au or just yourbusiness.com.au.


Use — Guide

How to use this tool

  1. Enter your website URL — for example, https://yourbusiness.com.au — and press "Check my headers".
  2. The tool fetches your site's HTTP response headers via our server-side proxy; results appear within seconds.
  3. Read your letter grade (A+ to F) and score out of 100 at the top of the results.
  4. Review the header breakdown: a Good, Warn or Missing badge for each header including HSTS, CSP, X-Frame-Options and Referrer-Policy.
  5. Work through the prioritised fixes list — each recommendation tells you exactly which header to add or correct on your web server.
  6. Send your result to Peritus Digital via the contact form if you'd like help implementing the fixes.

FAQ — Questions

Frequently asked questions

01What are HTTP security headers?

Security headers are HTTP response headers that instruct browsers how to behave when handling your site's content. They are your first line of defence against common web attacks — Cross-Site Scripting (XSS), clickjacking, MIME-type confusion and information leakage. Setting them correctly is a low-effort, high-impact hardening step that every web server should have.

02What is CSP (Content-Security-Policy) and why does it matter?

Content-Security-Policy tells the browser which sources it is allowed to load scripts, styles, images and other resources from. A properly configured CSP blocks the most common XSS attacks at the browser level — even if an attacker injects malicious code, the browser refuses to execute it. Weak policies that include "unsafe-inline" or wildcard (*) sources significantly reduce this protection.

03What is HSTS (Strict-Transport-Security) and why does it matter?

HTTP Strict Transport Security (HSTS) tells browsers to only connect to your site over HTTPS, even if a user types "http://" or clicks a plain-HTTP link. Without it, a network attacker can intercept the first HTTP request and hijack the session before a redirect to HTTPS occurs. A max-age of at least one year (31536000 seconds), plus includeSubDomains, is the recommended baseline.

04Do I need all of these headers?

Yes — each header addresses a different attack vector, and missing any one of them leaves a gap. That said, CSP and HSTS have the most impact. Start with X-Content-Type-Options (the easiest — one line) and HSTS, then work through CSP, X-Frame-Options, Referrer-Policy and Permissions-Policy. The prioritised fixes list below your result tells you exactly what to tackle first.

05Is my website data stored or logged?

No. We fetch your URL's response headers server-side and immediately return the result — nothing is stored, logged or retained. We do not crawl your site or read your content; we only inspect the headers that your web server sends in its HTTP response.