Free tools
Free website security tools
One free, single-purpose checker for each part of your public posture: security headers, TLS and cookies, email authentication, and attack surface. Most run on the same scan engine behind the full 0 to 100 hardening score, so the complete scan is always one click away.
Security header tools
The HTTP response headers browsers actually enforce. Check them one at a time or all at once.
Security headers checker
Test HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy coverage in one pass.
HSTS checker
Check your Strict-Transport-Security header: present or absent, max-age, includeSubDomains, and preload eligibility.
CSP checker
Check your Content-Security-Policy: present or absent, enforcing or report-only, and common weaknesses like unsafe-inline and wildcards.
Clickjacking checker
Check whether X-Frame-Options or CSP frame-ancestors stops your pages from being embedded in attacker-controlled iframes.
Referrer-Policy checker
Check whether your Referrer-Policy header stops full URLs (and any tokens in them) from leaking to other sites.
Permissions-Policy checker
Check whether your Permissions-Policy limits camera, microphone, geolocation, and other browser features for the page and its embeds.
X-Content-Type-Options checker
Check whether your responses send nosniff to stop browsers MIME-sniffing content into the wrong type.
TLS, HTTPS & cookies
How your site serves HTTPS, and how its cookies are scoped.
TLS checker
TLS protocol versions, cipher suites, certificate validity, and HTTP-to-HTTPS redirect coverage.
Cookie inspector
Parse Set-Cookie headers and validate Secure, HttpOnly, and SameSite attributes on session cookies.
Email authentication tools
Whether someone can spoof email from your domain: DMARC, SPF, and DKIM.
DMARC checker
Lookup your DMARC TXT record, parse the policy and reporting tags, and see where you sit on the rollout journey.
SPF checker
Resolve your SPF TXT record, walk includes, count DNS lookups, and flag patterns that quietly break alignment.
DKIM checker
Probe common DKIM selectors, validate public-key format, and confirm DMARC alignment is supported.
Authentication-Results parser
Paste any email's Authentication-Results header and see DKIM signers, SPF, DMARC verdicts, and alignment with the From: domain, the definitive DKIM check when your sender uses non-enumerable selectors.
Email authentication analyzer
Read your DMARC, SPF, and DKIM together, get a step-by-step plan from p=none to p=reject, and copy the exact DMARC record to publish next.
DNS, reputation & attack surface
What your domain exposes publicly, and how blocklists and Safe Browsing see it.
DNS checker
Look up any domain's A, AAAA, MX, TXT, NS, CNAME, and CAA records instantly. A plain DNS lookup, including MX and the TXT records that hold SPF and DMARC.
Attack surface & subdomain takeover checker
Map every subdomain a domain has ever had a certificate for, and flag the forgotten or hijackable (takeoverable) ones. Passive: it reads public certificate transparency logs and never touches the target.
Domain reputation checker
Check whether your mail servers are on major email blocklists and whether your site is flagged as dangerous by Google Safe Browsing.