~/tools / security-headers

Security Headers Checker

Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.

>
[ CRITICAL ] Weak security posture (13/100) — missing: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy · weak: strict-transport-security, content-security-policy
── output ─────
13
security_score
HTTP 200 · https://www.anthropic.com/
Strict-Transport-Security (HSTS)
[ WEAK ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=3600
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.intellimize.co https://cdnjs.cloudflare.com https://d3e54v103j8qbb.cloudfront.net https://cdn.prod.website-files.com https://hubspotonwebflow.com https://www.googletagmanager.com https://a-cdn.anthropic.com https://connect.facebook.net https://www.youtube.com https://cdn.jsdelivr.net https://cdn.finsweet.com https://maps.googleapis.com https://js.hsforms.net https://player.vimeo.com; style-src 'self' 'unsafe-inline' https://cdn.prod.website-files.com https://cdnjs.cloudflare.com https://fonts.googleapis.com; img-src 'self' data: https://cdn.sanity.io https://www-cdn.anthropic.com https://cdn.prod.website-files.com https://img.youtube.com https://i.ytimg.com https://www.facebook.com https://maps.googleapis.com https://maps.gstatic.com https://www.googletagmanager.com https://forms-na1.hsforms.com; frame-src 'self' https://www.youtube-nocookie.com https://www.youtube.com https://cdn.embedly.com https://*.intellimizeio.com https://anthropic.swoogo.com https://*.hsforms.com https://*.hubspot.com; connect-src 'self' blob: https://cdn.intellimize.co https://api.intellimize.co https://log.intellimize.co https://cdn.sanity.io https://links.iterable.com https://a-cdn.anthropic.com https://a-api.anthropic.com https://www.facebook.com https://www.google-analytics.com https://cdn.prod.website-files.com https://hubspotonwebflow.com https://maps.googleapis.com https://vimeo.com https://www.googletagmanager.com https://code.claude.com https://forms.hsforms.com https://hubspot-forms-static-embed.s3.amazonaws.com https://cdnjs.cloudflare.com https://www.gstatic.com; media-src 'self' https://cdn.sanity.io; worker-src 'self' blob:; font-src 'self' data: https://cdn.prod.website-files.com https://fonts.gstatic.com; object-src 'none'; frame-ancestors 'self'; base-uri 'self'
X-Frame-Options
[ MISSING ]
// Prevents clickjacking by blocking iframe embedding from other origins.
// missing — add this header to improve security
X-Content-Type-Options
[ MISSING ]
// Prevents MIME sniffing. Should be 'nosniff'.
// missing — add this header to improve security
Referrer-Policy
[ MISSING ]
// Controls how much referrer info is leaked when navigating away.
// missing — add this header to improve security
Permissions-Policy
[ MISSING ]
// Restricts which browser features (camera, mic, etc.) the page can use.
// missing — add this header to improve security
// Save anthropic.com → we'll run this daily and alert on changes. /signup →