Free · No signup · Instant results

Free Website Security Checker

Audit your security headers, HTTPS configuration, mixed content, and cookie security flags in seconds. Get AI-guided remediation steps for every finding — no account needed.

Check Security Headers — FreeFull Audit (22 modules)

Select the Security module in the targeted analyzer, or run the full audit for a complete site health report.

Security checks covered

The security module evaluates your response headers, SSL configuration, and resource loading — the same checks that security scanners like Observatory and securityheaders.com run, but integrated into your full SEO audit.

Content-Security-Policy(CSP)
Restricts which sources can load scripts, styles, images and other resources
Risk if missing: Missing CSP leaves your site vulnerable to XSS and data injection attacks
Critical
Strict-Transport-Security(HSTS)
Forces browsers to connect only over HTTPS, even on subsequent visits
Risk if missing: Without HSTS, users can be downgraded to HTTP on unprotected networks
Critical
X-Frame-Options(XFO)
Controls whether your page can be embedded in iframes on other sites
Risk if missing: Missing XFO enables clickjacking attacks that trick users into clicking hidden elements
High
X-Content-Type-Options(XCTO)
Prevents browsers from MIME-sniffing a response away from its declared content type
Risk if missing: MIME sniffing can cause browsers to interpret safe files as executable scripts
Medium
Referrer-Policy(RP)
Controls how much referrer information is included with navigation requests
Risk if missing: Missing policy leaks full URLs including query parameters to third-party domains
Medium
Permissions-Policy(PP)
Restricts browser features like camera, microphone, and geolocation per origin
Risk if missing: Without this header, embedded scripts can silently access powerful browser APIs
Medium

In addition to headers, the checker audits: HTTPS redirect chain · SSL/TLS certificate validity · Mixed content (active and passive) · Secure and HttpOnly cookie flags · HTTPS on subresources.

Why security issues hurt your SEO rankings

Security and SEO are more intertwined than most people realise. Google uses HTTPS as a direct ranking factor — sites without SSL or with improperly configured redirects can see measurable ranking drops. Chrome also marks HTTP pages as "Not Secure," which increases bounce rates and erodes user trust.

Mixed content is a silent killer: a single HTTP image or script on an otherwise HTTPS page can trigger console errors, break functionality, and cause Google to classify your page differently in its security assessment. The checker identifies every mixed-content resource with its exact URL so you know exactly what to fix.

Missing security headers like CSP and HSTS don't directly affect rankings today, but they affect trust signals — browser security indicators, third-party security scores, and the likelihood of your site being reported for abuse — all of which can indirectly impact your domain's reputation in Google's systems.

How to add security headers to your site

The right method depends on your hosting stack:

Next.js (next.config.js)

// next.config.js
const securityHeaders = [
  { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
  { key: 'X-Content-Type-Options', value: 'nosniff' },
  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
  { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
]

module.exports = {
  async headers() {
    return [{ source: '/(.*)', headers: securityHeaders }]
  },
}

Apache (.htaccess)

Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Nginx (nginx.conf)

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

After adding headers, re-run the security checker to confirm they are present and correctly configured.

Frequently asked questions

What security headers should every website have?+

At minimum: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Permissions-Policy is increasingly expected by modern security scanners.

Does website security affect SEO?+

Yes. HTTPS is a direct ranking factor. Mixed content and missing security headers can indirectly hurt rankings by increasing bounce rates (browser warnings), breaking functionality, and affecting domain trust signals.

What is mixed content?+

Mixed content is when an HTTPS page loads resources over HTTP. Active mixed content (scripts, iframes) is blocked by browsers. Passive mixed content (images, video) may load but triggers security warnings and leaks data.

How do I add HSTS to my site?+

Add the header: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload — to your server configuration (.htaccess for Apache, nginx.conf for Nginx, or headers() in next.config.js). Set max-age to at least 31536000 (one year).

Is the security checker free?+

Yes — completely free, no account required. Select 'Security' in the targeted scanner at /analyze, or run the full audit at /full-audit which includes security as one of 22 modules.

Related free tools

Security Scanner (targeted)Full SEO AuditDNS & Email SecurityRedirect TracerRender CheckFree SEO Audit