Are your security headers set?
Paste your page and we check for three common security headers - HSTS, content-type protection, and clickjacking protection - and tell you which ones your server isn't sending. Free, no signup.
What we check
We read the response headers your page sends and check for three common security headers: HSTS (Strict-Transport-Security, which forces browsers to stick to HTTPS), X-Content-Type-Options (which stops browsers from second-guessing file types), and frame protection (which stops other sites from loading yours in a hidden frame to trick your users). We tell you which of the three are missing.
This is a focused check on three specific, widely-recommended headers, not a full security audit. Missing them is a hardening gap - a best-practice you haven't set yet - not proof of an active vulnerability. We report what's absent so you can decide what to add.
Why it matters
Security headers are the kind of thing that's trivial to set and easy to never get around to. They don't change how your site looks or works, so nothing reminds you they're missing - the page loads fine with them or without them. They quietly add defense: keeping browsers on HTTPS, blocking content-type tricks, stopping clickjacking frames.
Missing them won't take your site down, but it leaves easy, well-understood protections on the table, and they're often the boxes a security-conscious customer or a basic audit checks first. Knowing which three you're missing makes them a five-minute fix instead of a someday-maybe.
Questions
Which headers do you check?
Three: HSTS (Strict-Transport-Security), which keeps browsers on HTTPS; X-Content-Type-Options, which stops content-type sniffing; and frame protection (X-Frame-Options or a CSP frame-ancestors rule), which blocks clickjacking. We report which of the three are missing.
Is this a full security audit?
No, and we won't pretend it is. We check three specific, widely-recommended headers. A missing header is a hardening gap, not a confirmed vulnerability, and a clean result here doesn't mean your whole site is secure - it means these three common protections are in place.
Is it bad if I'm missing these?
It's not an emergency - your site still works. But these are cheap, well-understood protections, and they're often the first things a security-minded customer or a basic audit looks for. Setting them is usually a quick config change, so it's worth closing the gap.
Is it really free?
Yes. Paste a URL and run it, no account needed. The same scan also runs all of CopyMosaic's other checks, and you can open the full report to see them.