Headers
HTTP security policies
š 108.162.241.106
š„ 5 left
Comprehensive Check of 6 Core Security Headers
Enable browser security features via HTTP response headers to protect your application from common attacks.
Tooling: custom Node.js script (axios HTTP client)
Goal: evaluate defenses against XSS, clickjacking, MIME sniffing, and data leakage
Headers evaluated:
ā¢ Content-Security-Policy (CSP) ā restricts resource sources; mitigates XSS/thirdāparty script abuse
ā¢ X-Frame-Options / frame-ancestors ā blocks framing; prevents clickjacking/phishing overlays
ā¢ X-Content-Type-Options ā prevents MIME sniffing; mitigates incorrect execution
ā¢ Referrer-Policy ā minimizes referrer data; prevents sensitive URL exposure
ā¢ Permissions-Policy ā limits browser features (location, mic, camera) to protect privacy
ā¢ Strict-Transport-Security (HSTS) ā forces HTTPS; prevents MITM/downgrade attacks
Where to configure: CDN (Cloudflare), web server (Nginx/Apache), application (e.g., Laravel)
Applying headers together yields the strongest protection.
Tooling: custom Node.js script (axios HTTP client)
Goal: evaluate defenses against XSS, clickjacking, MIME sniffing, and data leakage
Headers evaluated:
ā¢ Content-Security-Policy (CSP) ā restricts resource sources; mitigates XSS/thirdāparty script abuse
ā¢ X-Frame-Options / frame-ancestors ā blocks framing; prevents clickjacking/phishing overlays
ā¢ X-Content-Type-Options ā prevents MIME sniffing; mitigates incorrect execution
ā¢ Referrer-Policy ā minimizes referrer data; prevents sensitive URL exposure
ā¢ Permissions-Policy ā limits browser features (location, mic, camera) to protect privacy
ā¢ Strict-Transport-Security (HSTS) ā forces HTTPS; prevents MITM/downgrade attacks
Where to configure: CDN (Cloudflare), web server (Nginx/Apache), application (e.g., Laravel)
Applying headers together yields the strongest protection.
| Grade | Score | Criteria |
|---|---|---|
| A+ | 95ā100 |
Strong CSP (nonce/hash/strict-dynamic; no unsafe-*) XFO: DENY/SAMEORIGIN or limited frame-ancestors X-Content-Type: nosniff Referrer-Policy: strict-origin-when-cross-origin or better Permissions-Policy: unneeded features blocked HSTS: ā„ 6 months + include subdomains |
| A | 85ā94 |
CSP present (weaker allowed) or 5 nonāCSP items strong XFO applied (or frameāancestors limited) X-Content-Type: nosniff ReferrerāPolicy: recommended value PermissionsāPolicy: basic restrictions HSTS: ā„ 6 months |
| B | 70ā84 |
CSP none/weak XFO applied X-Content-Type: present (nosniff) ReferrerāPolicy: okay/average PermissionsāPolicy: partially restricted HSTS: short or no subdomains |
| C | 55ā69 |
Some headers present CSP none/weak ReferrerāPolicy weak X-Content-Type missing HSTS absent or very short |
| D | 40ā54 |
Only 1ā2 key headers present No CSP Referrer weak/absent Many other headers missing |
| F | 0ā39 |
Security headers virtually absent No CSP/XFO/X-Content No ReferrerāPolicy No HSTS |
Grading policy: A+ requires a strong CSP. If CSP is absent, an A can still be awarded when the five nonāCSP headers (XFO, XāContentāTypeāOptions, ReferrerāPolicy, PermissionsāPolicy, HSTS) are all strong.
No results yet
Run a test to view the security headers analysis.
No data yet
Run a test to view the raw JSON data.
Sign in to view test history.
Sign in to manage domains.