Insight

How to run a free website security check

A quick, no-sign-up way to check whether your website has the basic security protections in place, what the results mean, and what to fix first.

You do not need a paid scanner or a security consultant to find out whether your website has the basics covered. A handful of checks tell you most of what matters, and you can run them in under a minute without signing up for anything.

Start with the transport layer. Is the site served over HTTPS on every page, and does it send a Strict-Transport-Security header so browsers refuse to fall back to plain HTTP? If a visitor can reach an http version that does not redirect, that is the first thing to fix.

Next, look at the response headers that defend the browser: a Content-Security-Policy to contain cross-site scripting, X-Content-Type- Options to stop MIME sniffing, and X-Frame-Options or CSP frame-ancestors to block clickjacking. Missing headers are common and usually a quick configuration fix rather than a rebuild.

Then check the smaller leaks: a Referrer-Policy so addresses do not spill to other sites, and a server that does not advertise its exact software version in the headers. None of these are dramatic on their own, but together they are the difference between a hardened site and an open one.

Our free website security checker runs all of this for any public URL you own. It is read-only, stores nothing, and returns a clear, prioritized list of what is present, what is missing, and how strong each policy is. If you want help fixing what it finds, that is exactly the kind of work we do.