Enter an address to grade its security headers.
We fetch the address and inspect the security headers it returns — the same checks a penetration tester runs first. Anything below an A is a quick win your IT provider should already be on top of.
The six headers that harden a website.
Strict-Transport-Security (HSTS)
Forces browsers to use HTTPS, so a visitor's connection can't be silently downgraded to plain HTTP and intercepted.
Content-Security-Policy (CSP)
Controls which scripts and resources a page may load — the single strongest defence against cross-site scripting.
X-Frame-Options
Stops your site being embedded in a hostile iframe and used to trick your visitors (clickjacking).
X-Content-Type-Options
Set to nosniff, it stops browsers guessing a file's type and running it as something it isn't.
Referrer-Policy
Limits how much of your URLs is shared with other sites when visitors click away.
Permissions-Policy
Switches off browser features you don't use — camera, microphone, geolocation — so embedded content can't reach for them.
Security headers, explained.
Let's talk.
We'll be straight.
Tell us a bit about your business and what's on your mind. We'll have a straight conversation about your IT — what you've got, what we'd do differently, and whether we're the right fit for each other.
- A human picks up on the first call
- No pitch deck — just a proper conversation
- We'll tell you honestly if we're not the right fit