Is this a replacement for a security review?

No. It is a public header posture check. It catches missing launch hygiene, not application logic vulnerabilities or private-code issues.

Should CSP start in report-only mode?

For established sites, yes. New small sites can often ship an enforcing CSP earlier if every script and connection source is known.

Free tool

Security Headers Checker

Security headers are launch hygiene. isitready.dev checks whether the browser receives enforceable headers, then gives fix guidance in the context of the whole site.

Surface: Free tool
Scope: Public web evidence
Auth: None required
Schema: SoftwareApplication

Answer first

What it checks

The scan reads Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, frame controls, referrer policy, and cache-sensitive response headers.

Detail 01

Why it matters

Headers reduce downgrade, injection, clickjacking, MIME sniffing, and policy drift risks that otherwise turn a polished page into an avoidable incident.

Detail 02

How to fix

Start with explicit CSP, long-lived HSTS after HTTPS is stable, nosniff, strict-origin referrers, and a frame policy that matches your embed needs.

FAQ

Common questions

Is this a replacement for a security review?: No. It is a public header posture check. It catches missing launch hygiene, not application logic vulnerabilities or private-code issues.
Should CSP start in report-only mode?: For established sites, yes. New small sites can often ship an enforcing CSP earlier if every script and connection source is known.