HTTPS, TLS, and the headers that protect your visitors
Redirects, certificates, CSP, cookies, and CORS done right.
Does your site still answer over plain HTTP?
If http:// still serves your page, any shared network can rewrite it before it loads. How the downgrade works, how to check, and the one redirect to add.
When does your TLS certificate expire, and what happens when it does?
An expired TLS cert turns your site into a full-screen browser warning overnight. How expiry and old TLS versions break trust, and how to stay ahead of it.
What is HSTS, and why does missing it leave a gap on the first visit?
Without HSTS, the very first request to your site can be downgraded to plaintext and rewritten. What the header does, and the one line that closes the gap.
Do you have a Content-Security-Policy, and is it actually doing anything?
A CSP with unsafe-inline is a lock left in the unlocked position. What the directive really permits, how to check, and how to tighten it safely.
The header that stops your site being framed for clickjacking
Without frame protection, your login form can be invisibly overlaid on a hostile page. How clickjacking works, how to check, and the one header that ends it.
Are your session cookies actually protected? (HttpOnly, Secure, SameSite)
A session cookie without HttpOnly is one any XSS can steal. What the three cookie flags do, how to read your Set-Cookie header, and how to set them right.
Is your CORS policy letting any site read your responses?
Access-Control-Allow-Origin set wrong with credentials hands authenticated data to any origin. How the misconfig works, how to check, and how to fix it.
Your page is HTTPS, but is everything on it? Mixed content, explained
An HTTPS page that loads a script over HTTP has a hole the padlock hides. What active and passive mixed content let an attacker do, and how to find it.
Self-signed, wrong hostname, untrusted: when your TLS cert isn't really trusted
An expired cert is one failure mode. A self-signed one, a hostname mismatch, or an incomplete chain breaks trust too, and the browser warning is just as loud.
The small security headers everyone skips: nosniff, Referrer-Policy, Permissions-Policy
X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are three one-line headers most sites miss. What each one stops, and the block that sets them all.
Looking for a SecurityHeaders.com alternative now the API is closing?
SecurityHeaders.com is great at grading headers, but its API shuts down in April 2026 and it checks one thing. What to use for headers plus the rest of your surface.
Your TLS cert is valid, but is it leaking hostnames, signed with a weak key, or living too long?
A cert that passes the browser check can still leak internal hostnames in its SAN list, run on an undersized key, or sit valid for years. Three quiet TLS weaknesses, and how to read them from outside.
Find it before someone else does.
Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.