Most websites are one missing header away from being vulnerable to clickjacking, MIME sniffing, or cross-site scripting.
Security headers — Strict-Transport-Security, Content-Security-Policy, X-Frame-Options — are basic protection that takes 10 minutes to configure. A surprising number of sites skip them entirely.
I built an auditor. It checks any domain against the OWASP recommended header list and scores it 0–100.
Ran it across 12 UK business websites:
→ 3 scored above 80 — solid configuration
→ 5 scored between 40–70 — room to improve
→ 4 scored below 30 — significant gaps
Some of the worst scores belonged to well-known brands with full IT teams. Security headers are easy to miss when nobody's specifically looking for them.
Built in Python using only the requests library. No API key, no setup — just point it at a domain.
Interested in this project?
I'm always happy to talk through how it was built, the problems it solves, or how something similar could work for you.