Paste any HTTPS URL. We'll fetch it through an SSRF-safe client (no internal networks, no metadata endpoints), inspect the response headers, and grade the page on the standard security-headers checklist — CSP, HSTS, the X-headers, Referrer-Policy, Permissions-Policy, and the cross-origin isolation set.
This tool is a one-shot check. PhishFence watches your domain 24/7 for DMARC changes, new lookalike registrations, and spoofing attempts.