Skip to main content

SSL & Security Headers Checker

Check the SSL certificate and key security headers for a website

Why check SSL & security headers?

An expired SSL certificate or missing security headers leaves your website exposed to attacks and erodes visitor trust. The tool checks both in one scan.

A secure website needs more than just the HTTPS padlock in the address bar. An expired SSL certificate triggers a browser "Not secure" warning and blocks access; missing key security headers opens the door to clickjacking, XSS or referrer leakage attacks. The SSL & Security Headers Checker inspects your SSL certificate (issuer, expiry date, days remaining) and checks the 6 most important security headers: Strict-Transport-Security (HSTS), X-Frame-Options, Content-Security-Policy (CSP), X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Each item clearly shows present/missing so you know what to configure on your server.

  • SSL certificate expiry date and days remaining
  • Checklist of the 6 most important security headers
  • Early warning before the certificate expires
Get started free
Advertisement

How to use in 3 steps

  1. 1Enter the website URL to check (must be HTTPS to read the certificate).
  2. 2Click "Check security" — the tool performs a TLS handshake and reads response headers.
  3. 3Review the SSL certificate expiry and the 6-header security checklist.

Frequently asked questions

How far ahead should I renew an SSL certificate?
At least 14 days ahead. If using Let's Encrypt (90-day cycle), enable auto-renew to avoid forgetting.
What does the HSTS header do?
Strict-Transport-Security forces browsers to always connect over HTTPS, preventing an attacker from downgrading the connection to unencrypted HTTP.
Is missing X-Frame-Options dangerous?
Yes. Without this header (or a CSP frame-ancestors rule), your page can be embedded in a hidden iframe to trick users into clicking (clickjacking).
Can this tool check an HTTP-only site (no SSL)?
Yes, it still scans the site but will flag missing HTTPS and skip the certificate section since there is no SSL to read.