What does this site reveal about itself?
Inspect the HTTP headers a website sends — see what server software, security settings, and info it exposes.
What are HTTP headers?
HTTP headers are hidden metadata exchanged between a web server and a browser with every request. They control how content is delivered, cached, and secured — but they can also accidentally reveal information like the server software version, which can help attackers identify vulnerabilities.
Security headers like Strict-Transport-Security and Content-Security-Policy actively protect visitors from certain types of attack. A missing security header isn't necessarily dangerous, but a full set is considered best practice for any production website.
Adding security headers to your website typically requires a small configuration change in your web server or hosting platform. Most modern hosting platforms (Cloudflare, Vercel, Netlify) let you set headers in a configuration file without touching server code. The entire process usually takes under 30 minutes and can meaningfully improve your site's security posture.
Frequently Asked Questions
What does Strict-Transport-Security (HSTS) do?
HSTS tells browsers to only connect to your site over HTTPS, never plain HTTP — even if the user types http://. This prevents a class of attack called SSL stripping, where an attacker downgrades your connection to unencrypted HTTP. Once a browser receives an HSTS header it enforces HTTPS for the duration specified in the max-age directive.
What does X-Frame-Options protect against?
Clickjacking — an attack where a malicious site embeds your page in an invisible <iframe> and tricks users into clicking on hidden buttons. Setting X-Frame-Options: DENY prevents your page from being framed by any other site. The newer Content-Security-Policy: frame-ancestors directive offers more granular control.
Does a low security header score mean my site is vulnerable?
Not necessarily — it means your site isn't using optional defence-in-depth protections. The risk depends heavily on what your site does. A static marketing site missing CSP is lower risk than a web application that handles user logins or payments. That said, adding security headers is a low-effort improvement with no downside.
What is the Permissions-Policy header?
Permissions-Policy (formerly Feature-Policy) lets you control which browser features your site can use — such as camera, microphone, geolocation, and payment APIs. Disabling features your site doesn't need reduces the damage a cross-site scripting (XSS) attack could cause by limiting what it can access.