Free tool

Check browser security headers on a public website.

Security headers help browsers handle transport security, framing, referrer behavior, and script policy. SiteLeak checks whether common public headers are present, then frames the result as browser trust evidence rather than a compliance score.

SiteLeak report preview showing score and customer path sections

Pages and actions this check reviews

Strict-Transport-Security header evidence

Content-Security-Policy header evidence

X-Frame-Options or frame-ancestor protection signals

Referrer-Policy header evidence

HTTPS and mixed-content hints that can affect visitor trust

Useful for trust maintenance

The report lists missing or weak browser header signals with source URL evidence so the issue can be reproduced and retested from the public page.

No compliance certification

The checker does not certify security, privacy, or regulatory compliance.

What to do with the results

Treat missing headers as a maintenance queue. Header changes are usually made in a hosting platform, CDN, reverse proxy, or framework config, then verified by rerunning the scan. If several trust signals are missing at once, fix the server or CDN template rather than patching one page at a time.

What this page helps you decide

Use this page when you need a plain-language check of public browser trust signals before sending customers to contact, booking, order, or checkout paths.

Practical fixes after the scan

Add or tune HSTS at the host, CDN, or framework layer after confirming the whole site works over HTTPS.

Add a Content-Security-Policy carefully, starting with a report-only policy if the site depends on many third-party scripts.

Set frame protection and referrer policy where the host or framework supports them.

Replace insecure asset URLs with HTTPS versions and retest the affected public page.

Evidence examples

security.missing_hstsMedium priority

HTTPS page is missing HSTS

The public response did not include a Strict-Transport-Security header for the scanned HTTPS URL.

Fix: Enable HSTS at the host, CDN, proxy, or framework after confirming HTTPS coverage across the site.

security.missing_cspLow priority

No Content-Security-Policy header was found

The public response did not include a CSP header, so browser script and embed policy is not declared in headers.

Fix: Add a CSP that matches the site's required scripts, frames, images, and styles, then retest for breakage.

security.mixed_content_hintMedium priority

Secure page references insecure assets

The page is loaded over HTTPS but the scanned HTML includes an HTTP asset reference.

Fix: Move the asset to HTTPS or remove it, then rerun the scan to confirm the hint is gone.

Fix Packet

Pay only when the scan finds a clear issue.

The free scan is the decision point. If the result matters, the Fix Packet adds the exact affected path, fix brief, owner and technical PDFs, and retest checklist.

Questions this scan can answer

Does this prove my site is secure?

No. It checks a focused set of public HTTP headers and should be used alongside broader security review.

Can it run without a security tool account?

Yes. The free check uses public HTTP response evidence and does not require credentials.

Does SiteLeak test vulnerabilities?

No. It checks public header and public page details only. It is not a penetration test or compliance review.