Free Tool
Security Headers Checker
See baseline browser protections on your live HTTPS response.
What it calculates
Presence and basic quality of security headers on the apex HTTPS response (public-safe subset).
Why it matters
Missing HSTS or CSP increases XSS and clickjacking risk — enterprise buyers and security reviewers notice.
The Learn Domains moat
Check → Diagnose → Activate → Ship fixes → Measure lift
Monitoring tools stop at the score. Learn Domains turns gaps into ranked actions inside your command center.
- 1Check
You ran the checker on your domain and topic.
Done - 2Diagnose
Readiness score + live mention gaps on missed prompts.
Learn more - 3Activate
Connect site, add Knowledge Base, generate Mission Brief.
Learn more - 4Ship + measure
Growth Orders → content drafts → Signal AI referrals.
Learn more
Apex domain only — no paths, IPs, or ports.
What this checker verifies
Security-related response headers on HTTPS: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and frame-ancestors / X-Frame-Options.
Scans run from Learn Domains infrastructure against the apex domain you submit. We do not crawl arbitrary URLs, probe ports, or run penetration tests. Results describe observed configuration at scan time.
Treat output as operator signal — not a security certification, ranking guarantee, or legal attestation.
How to interpret the result
Missing HSTS weakens HTTPS enforcement. Absent CSP increases XSS blast radius — tune policies in staging before enforce mode.
Severity labels rank urgency: critical issues often block traffic or trust; high issues degrade deliverability or crawl efficiency; medium and low items are worth scheduling before they compound.
When a finding is marked inference or needs human review, confirm in your DNS host, CDN, or registrar before shipping a production change.
Common causes of this issue
Headers set only on www, CDN defaults overriding origin, or CSP copied from another product without trimming.
Misconfigured migrations, partial CDN setups, and copied DNS templates are the usual culprits. Compare www and apex behavior when redirects look inconsistent.
If you recently changed hosts, allow TTL propagation before re-checking — a stale cache can look like a failure for up to 48 hours.
How to fix it
Add headers at CDN or origin. Test CSP in report-only mode first if you have third-party scripts.
Document what you changed and when. Technical change detection inside Learn Domains compares future scans to this baseline so regressions surface in the Operator.
For email posture issues, coordinate with whoever owns your ESP (Google Workspace, SendGrid, etc.) so SPF and DMARC align with live senders.
When to re-check
After deploys that touch edge config or tag managers.
Re-run after DNS TTL windows, certificate renewals, or deploys that touch edge configuration. Weekly monitoring catches drift before launch deadlines.
Connected workspaces in Learn Domains store scan history — public checks are ephemeral snapshots for visitors.
Related Learn Domains workflows
Verify domain ownership in Learn Domains for expanded header analysis on connected assets.
Header regressions are tracked in technical scan diffs — fixes can become Growth Orders with owner assignment.
Start a $1 trial to connect the domain, run full Technical Preflight in the Operator (/tech), turn findings into Growth Orders, and monitor technical health alongside Mission Brief priorities.
Examples
Enterprise security review
Scenario: Buyer asks for HSTS and CSP on marketing site.
Outcome: Checker lists which headers are absent or misconfigured.
Use cases
- Security questionnaire prep
- CDN header templates
- Compliance baselines
Learn Domains perspective
Header regressions are tracked in technical scan diffs — fixes can become Growth Orders with owner assignment.
FAQ
- Is the Security Headers Checker free?
- Yes. Anonymous visitors can run a limited number of checks per day. Results are cached briefly to keep scans fast. Full history, change detection, and Growth Orders require a Learn Domains workspace.
- Does this scan my entire site?
- No. Public tools inspect DNS, HTTPS entry points, robots.txt, sitemap discovery, mail records, and response headers for the apex domain. They do not brute-force paths or audit every URL.
- Can I scan any domain?
- You can check publicly registered domains you have permission to evaluate. We block internal networks, localhost, and platform abuse targets. Rate limits apply per visitor and per domain.
- How is this different from Learn Domains in the app?
- The app runs the same Technical Intelligence engine with saved history, workspace context, AI Operator interpretation, and one-click Growth Orders. Public tools deliver a snapshot; the product runs the operating loop.