Skip to main content

Check Your Website's Security Headers

See how secure your website is and get specific recommendations to protect your users.

Free analysis powered by Mozilla Observatory.

What is Mozilla Observatory?

Mozilla Observatory is a security testing tool that analyzes your website's HTTP headers and configuration. It checks for security best practices that protect your users from common web vulnerabilities and provides a letter grade (A+ to F) based on your implementation.

Content Security Policy

Controls which resources can load on your site. Protects against cross-site scripting (XSS) attacks and unauthorized code execution.

HTTPS & HSTS

Enforces encrypted connections and prevents downgrade attacks. Critical for protecting user data in transit.

Clickjacking Protection

Prevents malicious sites from embedding your pages in iframes to trick users into unintended actions.

Cookie Security

Ensures cookies are transmitted securely and aren't accessible to malicious scripts or third parties.

Why Security Headers Matter

  • Protect user data from theft. Security headers prevent attackers from stealing passwords, credit cards, and personal information.
  • Build trust and credibility. Proper security configuration shows you take user safety seriously and can prevent data breach liabilities.
  • Prevent common attacks. Security headers defend against XSS, clickjacking, man-in-the-middle attacks, and content injection.
  • Meet compliance requirements. Many regulations (GDPR, PCI-DSS, HIPAA) require proper security headers and HTTPS implementation.

What's My Score?

ihawp.com Mozilla Observatory Security Score: B+ with passing marks for HTTPS, HSTS, and most security headers.

My site scores a B+ on Mozilla Observatory—solid security across most measures. However, it takes a 20-point hit on Content Security Policy (CSP) due to Next.js framework requirements. Modern JavaScript frameworks often require 'unsafe-inline' for client-side hydration, creating a tension between strict CSP policies and framework functionality.

Mozilla Observatory detailed report showing CSP restrictions and security header analysis for ihawp.com.

The report flags inline scripts and styles—both necessary for Next.js to function properly without implementing ISR (Incremental Static Regeneration). Achieving a perfect CSP score with modern frameworks often means breaking interactive features or significantly complicating the build process. That said, all other critical security headers pass: HTTPS enforcement via HSTS (now with preload), clickjacking protection via X-Frame-Options, and proper content-type handling. Security isn't about perfection—it's about understanding trade-offs and implementing protections that matter most for real-world threats. For a static marketing site with no user input or forms, the CSP limitations pose minimal actual risk.

Need Help Securing Your Website?

Poor security can expose your users to attacks and damage your reputation. I build websites with proper security headers, HTTPS enforcement, and protection against common vulnerabilities. Security best practices are standard on every project—not added as an afterthought.

Get Started