Free Security Headers Checker
Enter any site to grade its HTTP security headers — HSTS, Content-Security-Policy, X-Frame-Options and more — plus its DNS CAA record and its security.txt disclosure file, instantly, with no signup. Then let Merlonix watch your whole portfolio so a header never silently disappears.
What are HTTP security headers?
HTTP security headers are response headers a web server sends that tell the browser how to behave more safely — for example, Strict-Transport-Security (HSTS) forces HTTPS, Content-Security-Policy (CSP) limits which scripts can run to blunt cross-site scripting, X-Frame-Options blocks clickjacking, and X-Content-Type-Options stops MIME-type sniffing. Merlonix reads the live headers a real browser would receive over HTTPS and grades which of the six core headers are present.
How is the A–F security-headers grade calculated?
The grade is based on how many of the six core security headers your site sends: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. More headers present means a higher grade. It is a deterministic count of what your server actually returns — not an opinion — so two people checking the same site see the same result.
What is a CAA record and why does it matter?
A DNS CAA (Certification Authority Authorization) record names which certificate authorities are allowed to issue TLS certificates for your domain. Without one, any public CA may issue a certificate for your domain, which widens the blast radius of a mis-issuance. Adding a CAA record is a low-effort way to constrain who can mint a cert in your name — so this checker reports whether one is configured alongside the header grade.
What is a security.txt file, and why does an expired one matter?
security.txt (RFC 9116) is a standard file at /.well-known/security.txt that tells security researchers how to report a vulnerability to you — a contact address and an Expires date. Without one, a finder has no clear channel and may disclose publicly. The catch most scanners miss: RFC 9116 says a file whose Expires date has passed must be treated as stale, so an expired security.txt is effectively a dead contact that silently rots. This checker reports whether you publish one and whether its Expires date has lapsed — a signal almost no other free scanner surfaces.
How do I keep my security headers from regressing?
A one-time check is a snapshot — a deploy, a CDN change, or a reverse-proxy tweak can silently drop a header weeks later, and nobody notices until an audit. Claim the free Merlonix plan ($0, no credit card) to monitor a few domains continuously, or start a trial to watch your whole portfolio. Merlonix re-checks security posture on a schedule and alerts you when a header you relied on disappears.