Strict-Transport-Security header evidence
Free tool
Check browser security headers on a public website.
Security headers help browsers handle transport security, framing, referrer behavior, and script policy. SiteLeak checks whether common public headers are present, then frames the result as browser trust evidence rather than a compliance score.
Customer-path evidence this page checks
Content-Security-Policy header evidence
X-Frame-Options or frame-ancestor protection signals
Referrer-Policy header evidence
HTTPS and mixed-content hints that can affect visitor trust
Useful for trust maintenance
The report lists missing or weak browser header signals with source URL evidence so a web host, CDN owner, or developer can reproduce the issue.
No compliance certification
The checker does not certify security, privacy, or regulatory compliance.
What to do with the results
Treat missing headers as a maintenance queue. Header changes are usually made in a hosting platform, CDN, reverse proxy, or framework config, then verified by rerunning the scan. If several trust signals are missing at once, fix the server or CDN template rather than patching one page at a time.
What this page helps you decide
Use this page when you need a plain-language check of public browser trust signals before sending customers to contact, booking, order, or checkout paths.
Practical fixes after the scan
Add or tune HSTS at the host, CDN, or framework layer after confirming the whole site works over HTTPS.
Add a Content-Security-Policy carefully, starting with a report-only policy if the site depends on many third-party scripts.
Set frame protection and referrer policy where the host or framework supports them.
Replace insecure asset URLs with HTTPS versions and retest the affected public page.
Evidence examples
security.missing_hstsmedium
HTTPS page is missing HSTS
The public response did not include a Strict-Transport-Security header for the scanned HTTPS URL.
Fix: Enable HSTS at the host, CDN, proxy, or framework after confirming HTTPS coverage across the site.
security.missing_csplow
No Content-Security-Policy header was found
The public response did not include a CSP header, so browser script and embed policy is not declared in headers.
Fix: Add a CSP that matches the site's required scripts, frames, images, and styles, then retest for breakage.
security.mixed_content_hintmedium
Secure page references insecure assets
The page is loaded over HTTPS but the scanned HTML includes an HTTP asset reference.
Fix: Move the asset to HTTPS or remove it, then rerun the scan to confirm the hint is gone.
Questions this scan can answer
Does this prove my site is secure?
No. It checks a focused set of public HTTP headers and should be used alongside broader security review.
Can it run without a security tool account?
Yes. The free check uses public HTTP response evidence and does not require credentials.
Does SiteLeak test vulnerabilities?
No. It checks public header and browser evidence only. It is not a penetration test or compliance review.