SSL & Security Headers Checker: Check Your Website Security
The SSL & Security Headers Checker inspects two things in one scan: whether your HTTPS certificate is still valid, and whether the 6 most important security headers are configured correctly. Miss either one, and your site both loses visitor trust and leaves the door open to a few very common attacks.
That "Not Secure" label is quietly driving visitors away
Since Chrome 68 in 2018, Google flags every HTTP page with "Not Secure" right in the address bar. For an e-commerce site or anything with a form, that red warning is often reason enough for someone to abandon their cart without reading any further. HTTPS isn't a nice-to-have anymore — it's table stakes.
How an SSL certificate quietly expires without anyone noticing
Let's Encrypt, the most widely used free certificate authority, only issues certificates valid for 90 days. If auto-renew isn't enabled, or the renewal cron job silently fails for a few months, you won't find out until the certificate actually expires and every browser starts showing a bright red warning across your whole site. This kind of failure tends to happen at the worst possible time — usually a weekend or a holiday.
6 security headers hackers pay more attention to than you do
- Strict-Transport-Security (HSTS) — forces browsers to always use HTTPS, blocking connection downgrade attacks.
- X-Frame-Options — stops your page from being embedded in a hidden iframe to trick users into clicking (clickjacking).
- Content-Security-Policy (CSP) — restricts which script/style sources are allowed to run, cutting XSS risk.
- X-Content-Type-Options — stops browsers from guessing file types, which attackers can exploit to run malicious code.
- Referrer-Policy — controls how much URL information leaks to other sites when someone clicks an outbound link.
- Permissions-Policy — restricts which pages, including third-party iframes, can access the camera, microphone, or location.
Most of these only need one line of config on Nginx or Apache, but since they don't change how the page looks, they're easy to forget entirely.
Does HTTPS actually affect SEO?
Google confirmed HTTPS as a ranking signal back in 2014, though it carries far less weight than content or backlinks. The bigger effect is indirect: an insecure page tends to have a higher bounce rate and shorter time on page — behavioral signals that influence rankings more than the HTTPS bit itself.
Check both in a single scan
Enter a URL into the free SSL & Security Headers Checker to see how many days are left on your certificate and a checklist of all 6 headers above. No login, nothing to install on your server.
Quick fixes
If HSTS or CSP is missing, most hosts and CDNs (Cloudflare, Nginx) let you add these headers with a few lines of ready-made config — no custom code needed. Prioritize enabling SSL auto-renew first, since an expired certificate is the most serious issue on this list.
Frequently asked questions
Is a free SSL certificate (Let's Encrypt) as secure as a paid one?
Is a missing HSTS header dangerous right away?
How do I know when my SSL certificate is about to expire?
Can this tool check a site that does not have HTTPS yet?
Nhận bản tóm tắt SEO checklist qua email
Đăng ký để nhận bản tóm tắt các bước tối ưu SEO quan trọng nhất từ bài viết này.
Nhập email để tải template audit SEO 1 trang, dùng ngay cho website của bạn.
Check your website for free
Run an SEO audit or check your traffic quality now — no signup required.