Free Tool

Free SSL & Security Header Checker

Check if HTTPS is properly configured, HSTS is active, and which security headers are missing from your website — free, no sign-up required.

Enter just the domain — e.g. company.com, not the full URL.

Security headers explained

These HTTP response headers tell browsers how to handle your site's content. Missing headers are one of the most common and easily fixed security gaps.

Strict-Transport-Security
Forces browsers to always use HTTPS, even if the user types http://. Prevents SSL stripping attacks. Must have max-age ≥ 31536000 (1 year).
Content-Security-Policy
Controls which resources the browser is allowed to load. Prevents XSS and data injection attacks. One of the hardest to configure correctly, but very high value.
X-Frame-Options
Prevents your pages from being embedded in iframes on other sites. Blocks clickjacking attacks. Set to DENY or SAMEORIGIN.
X-Content-Type-Options
Tells browsers not to guess the MIME type of responses. Prevents MIME sniffing attacks. Always set to nosniff.
Referrer-Policy
Controls what URL information is sent in the Referer header. Protects user privacy and prevents leaking sensitive URL parameters to third parties.
Permissions-Policy
Controls which browser features (camera, microphone, geolocation, etc.) the page can use. Limits attack surface if your site is compromised or serves third-party scripts.

Why HTTPS enforcement matters beyond having a certificate

Many sites have an SSL certificate but still have HTTPS misconfiguration issues:

Frequently asked questions

What is HSTS and why does it matter?
HSTS (HTTP Strict Transport Security) is a header that tells browsers to always connect to your site over HTTPS — even if the user types http://. Without it, an attacker on the same network can intercept the initial HTTP request before the browser is redirected to HTTPS (an SSL stripping attack). HSTS caches the HTTPS-only preference in the browser for the duration of max-age.
What security headers should every website have?
At minimum: Strict-Transport-Security (with max-age ≥ 31536000), X-Frame-Options (DENY or SAMEORIGIN), and X-Content-Type-Options (nosniff). Ideally also: Content-Security-Policy, Referrer-Policy, and Permissions-Policy. These add defence-in-depth against XSS, clickjacking, and MIME sniffing.
Why doesn't this checker show my certificate expiry date?
Certificate expiry date and full SSL grade (including cipher suites and protocol versions) require a deeper TLS handshake inspection that can't be done with a simple HTTP check. Pulse Pro performs full SSL certificate checks weekly, including expiry date, issuer chain, and protocol grade, and alerts you 30 days before your cert expires.
My site shows HTTPS but this checker says HTTP redirect is missing — why?
Your site may serve HTTPS correctly when accessed directly, but not redirect HTTP traffic to HTTPS. A user typing http://yourdomain.com will be served over plain HTTP. The fix: add a permanent redirect (301) from http:// to https:// at your web server or CDN level.
How often should I check my SSL configuration?
At minimum after any infrastructure change, and monthly as a routine check. SSL certificates expire (Let's Encrypt certs are 90 days, paid certs typically 1 year). A missed expiry shows a security warning to every visitor. Pulse Pro monitors SSL weekly and alerts you 30 days before expiry.

Get weekly SSL monitoring + certificate expiry alerts

Pulse Pro checks your SSL certificate, HTTP headers, DNS health, and subdomain exposure every Monday — and emails you when anything changes or is about to expire.

Start with Pulse Pro — $19/mo →