Paste a URL. We fetch the response, read the security headers your site sends to browsers, and grade them A+ to F. Plain-English fix for every header that needs work, including HSTS, CSP, X-Frame-Options, Referrer-Policy and Permissions-Policy.
Every browser knows how to act on these headers. Your job is just to publish them. None of them break a normal site.
Strict-Transport-Security tells browsers to refuse plaintext HTTP for your domain. Once a browser has seen the header, it will not honour an HTTP link to your site even if the user types http://.
Content-Security-Policy is the only browser-level defence that can stop a cross-site-scripting payload from running. Start in report-only with default-src 'self' and tighten from there.
Blocks click-jacking by refusing to render your site inside an iframe on another origin. DENY for most sites; SAMEORIGIN if you embed your own UI.
Lets you switch off browser features you do not use — camera, microphone, geolocation, payment APIs. If a script ever does try to call them, the browser refuses outright.
AttackEdge Monitoring re-runs security headers, TLS, DMARC, SPF, DKIM, MTA-STS and the rest on a recurring schedule. Plain-English findings, IT-ready fixes, monthly PDF.
Setup in 60 seconds · Cancel anytime