Add HSTS
Send Strict-Transport-Security so browsers always use HTTPS. Start with a short max-age, then raise it.
Grade a page on the HTTP security headers it sends.
Your result
What this checks
Security headers are instructions a server sends with every response that tell the browser how to behave: enforce HTTPS, block content sniffing, restrict where scripts can load from and so on.
This tool fetches a URL and grades it on the main security headers: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-Policy.
Why it matters
Missing headers leave a site open to clickjacking, content-type confusion and downgrade attacks, and they are an easy win that auditors and security-minded clients check for.
Most are a few lines of server or CDN config, so a poor grade is usually quick to fix once you know what is missing.
How to fix it
Send Strict-Transport-Security so browsers always use HTTPS. Start with a short max-age, then raise it.
Even a basic policy limits where scripts and styles can load from. Build it up gradually to avoid breaking the page.
X-Content-Type-Options: nosniff, a Referrer-Policy and X-Frame-Options or frame-ancestors are one-liners.
Janitor watches security headers automatically across every client site and puts it in a branded report you can send.
Keep reading
FAQ
Aim to have all the core headers present. The most important are HSTS and a Content-Security-Policy. The others are quick to add and round out the grade.
A strict Content-Security-Policy can block inline scripts or third-party resources, so introduce it gradually and test. The other headers are safe to add straight away.
Yes. Janitor checks security headers on every client site on a schedule and flags any that regress, so a config change does not quietly drop a header.
Get started
Janitor runs around two dozen checks on every site you manage and turns them into a branded report.
30-day free trial. No credit card required.