Skip to main content

Site Privacy Scanner

Enter any website URL to check its security headers, HTTPS configuration, and third-party tracking scripts. Get an instant privacy grade.

Enter any website URL to check its security headers, HTTPS status, and tracker usage. Our scanner fetches the page server-side and analyzes the HTTP response.

Limitations: scan may be blocked by sites with strict bot protection. Max scan time 10s.
VPN Connection Check 🔬 Fingerprint Test 📧 Breach Checker

Quick Answer

This tool fetches any public URL and checks: HTTPS status, 9 security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, etc.), and which third-party tracking scripts are loaded. You get an A–F privacy grade. CSP is worth 25/100 points alone — the most impactful header.

  • • Missing CSP = -25 points (biggest single factor in scoring)
  • • Tracking scripts (GA, Facebook Pixel, Hotjar) each reduce score
  • • Low grade doesn't mean 'unsafe' — large sites often skip strict headers for compatibility
  • • HSTS prevents protocol downgrade attacks even after you leave the site

Why Security Headers Matter

HTTP security headers are instructions that a web server sends to your browser to enforce security behaviours — like only loading scripts from trusted sources, refusing to be embedded in iframes, or requiring HTTPS for all connections. Misconfigured or absent headers leave sites — and their visitors — exposed to a range of attacks.

The 4 Most Critical Headers

🔒

Strict-Transport-Security (HSTS)

HSTS tells browsers to always connect via HTTPS for a specified period, even if the user types "http://". Without HSTS, a network attacker can perform a protocol downgrade attack, intercepting traffic before it's encrypted.

🛡️

Content-Security-Policy (CSP)

CSP is the most powerful defence against cross-site scripting (XSS). It defines which sources scripts, styles, images, and frames may be loaded from. A strict CSP prevents injected code from executing — and it's the hardest header to implement correctly.

🖼️

X-Frame-Options

Prevents your site from being embedded in an iframe on a malicious site. This blocks "clickjacking" attacks where users are tricked into clicking elements they can't see, overlaid on a legitimate site.

🔗

Referrer-Policy

Controls how much information is sent in the Referer header when users navigate away from your page. Without a policy, the full URL including path and query parameters with potentially sensitive data may be sent to external sites.

How Tracker Scripts Affect Your Privacy

Third-party JavaScript loaded from external domains can track you across the entire web. Google Analytics sees every page you visit on any site using GA. Facebook's pixel reports your activity to Facebook even if you're not logged in. Hotjar and FullStory can record every mouse movement and keypress.

A VPN prevents these trackers from associating your activity with your real IP address. Combined with a content blocker like uBlock Origin, it prevents most tracking scripts from loading at all.

Block Trackers at the Network Level

LimeVPN routes your traffic through private DNS servers that block known tracker domains. Every site you visit has less data about you.

Get LimeVPN — From $5.99/mo

AES-256 Encryption · No-Logs Policy · 30+ Locations · Kill Switch

Frequently Asked Questions

What security headers does this tool check?
The scanner checks nine security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP), and X-XSS-Protection. Each affects a different attack surface.
How is the privacy grade calculated?
The grade is based on a 100-point score: HTTPS (10 points), security headers (up to 90 points based on which headers are present), minus a penalty for tracking scripts (up to −20 points). Missing CSP costs 25 points — the largest single factor, reflecting its importance in preventing script injection attacks.
Why do well-known sites sometimes get low grades?
Large sites often prioritise broad compatibility over strict security headers, especially CSP which requires careful configuration. Many popular sites also load dozens of third-party tracking scripts that reduce their score significantly. A low grade doesn't mean the site is unsafe to use — it means it's not following privacy best practices.
Can the scanner see my personal data on the site?
No. The scanner fetches only the publicly accessible HTML of the URL you provide. It does not log in, access cookies, or see any personal data. It inspects HTTP response headers and analyses which external JavaScript sources are referenced in the HTML source.
Why might a scan fail?
Some sites block automated requests using bot detection (Cloudflare, Akamai, etc.), return non-standard responses, have very slow load times, or restrict access by geographic IP. The scan times out after 10 seconds. If a scan fails, try the site's homepage URL rather than a subpage.
What is Content Security Policy (CSP)?
CSP is a browser security feature that restricts which scripts, styles, and resources a page can load. It's the most powerful defence against cross-site scripting (XSS) attacks — an attacker-injected script can't run if the CSP doesn't allow it. CSP is worth 25 out of 100 points in our scoring because it's one of the most impactful headers.

More Privacy Tools

VPN Connection Check

Instantly verify your VPN is working — IP, IPv6, WebRTC, and DNS in one test.

Browser Fingerprint Test

See how trackable your browser is without cookies.

Email Breach Checker

Check if your email or password has appeared in a known data breach.

LimeVPN Security Features

Kill switch, DNS protection, AES-256 encryption explained.