Janitor
Start your free trial Start free
FeaturesHow it worksReportsPricing Log in Start your free trial

Security

Security headers checker

Grade a page on the HTTP security headers it sends.

Example Security headers checker result

What this checks

Security headers are instructions a server sends with every response that tell the browser how to behave: enforce HTTPS, block content sniffing, restrict where scripts can load from and so on.

This tool fetches a URL and grades it on the main security headers: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-Policy.

Why it matters

Missing headers leave a site open to clickjacking, content-type confusion and downgrade attacks, and they are an easy win that auditors and security-minded clients check for.

Most are a few lines of server or CDN config, so a poor grade is usually quick to fix once you know what is missing.

How to fix common failures

1

Add HSTS

Send Strict-Transport-Security so browsers always use HTTPS. Start with a short max-age, then raise it.

2

Set a Content-Security-Policy

Even a basic policy limits where scripts and styles can load from. Build it up gradually to avoid breaking the page.

3

Add the quick wins

X-Content-Type-Options: nosniff, a Referrer-Policy and X-Frame-Options or frame-ancestors are one-liners.

Security headers checker is one check. Janitor watches security headers automatically across every client site and puts it in a branded report.

Start your free trial

Keep reading

Related

What security headers are and which ones you need

Open →

Mixed content checker

Open →

Every check Janitor runs

Open →

FAQ

Security headers checker FAQ

What is a good security headers grade?

Aim to have all the core headers present. The most important are HSTS and a Content-Security-Policy. The others are quick to add and round out the grade.

Will adding headers break my site?

A strict Content-Security-Policy can block inline scripts or third-party resources, so introduce it gradually and test. The other headers are safe to add straight away.

Can I monitor headers across many sites?

Yes. Janitor checks security headers on every client site on a schedule and flags any that regress, so a config change does not quietly drop a header.

Get started

Check it once, or watch it for every client

Janitor runs around two dozen checks on every site you manage and turns them into a branded report.

Start your free trial All free tools

30-day free trial. No credit card required.