~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ OK ]
Strong security headers (80/100) — weak: content-security-policy.
── output ─────
80
security_score
HTTP 200 · https://www.bbc.co.uk/
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=31536000; preload
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
default-src 'none'; script-src 'strict-dynamic' 'nonce-1zY1SnwFVyn6um4h72gyEGzbD3TPkG00VlP4wViQp5YJlA5SHs' 'self' 'report-sample' 'unsafe-inline' cdn.syndication.twimg.com connect.facebook.net c.files.bbci.co.uk emp.bbci.co.uk mybbc-analytics.files.bbci.co.uk nav.files.bbci.co.uk news.files.bbci.co.uk platform.twitter.com public.flourish.studio static.bbc.co.uk static.bbci.co.uk static.chartbeat.com static2.chartbeat.com www.bbc.co.uk www.instagram.com www.ons.gov.uk gn-web-assets.api.bbc.com www.google-analytics.com bitesize.files.bbci.co.uk www.tiktok.com lf16-tiktok-web.ttwstatic.com static.files.bbci.co.uk; img-src 'self' https: data:; font-src c.files.bbci.co.uk gel.files.bbci.co.uk static.files.bbci.co.uk static.bbci.co.uk news.files.bbci.co.uk ws-downloads.files.bbci.co.uk bitesize.files.bbci.co.uk; style-src branding.files.bbci.co.uk cdn.riddle.com flo.uri.sh news.files.bbci.co.uk platform.twitter.com static.bbc.co.uk static.bbci.co.uk static.files.bbci.co.uk ton.twimg.com www.riddle.com 'unsafe-inline' lf16-tiktok-web.ttwstatic.com; frame-src 'self' bbc001.carto.com bbc003.carto.com bbc-maps.carto.com cdn.riddle.com chartbeat.com emp.bbc.co.uk emp.bbc.com flo.uri.sh graphics.reuters.com www.reuters.com graphics.thomsonreuters.com dynamic.mc-cdn.io vapi.mc-cdn.io vapi.beta.mc-cdn.io elections.mapcreator.io elections.beta.mapcreator.io cdn.mapcreator.io m.facebook.com news.files.bbci.co.uk personaltaxcalculator2.deloittecloud.co.uk platform.twitter.com public.flourish.studio static2.chartbeat.com syndication.twitter.com web.facebook.com www.bbc.co.uk www.facebook.com www.instagram.com www.tiktok.com www.ons.gov.uk www.riddle.com www.youtube.com www.youtube-nocookie.com uk-script.dotmetrics.net ssp-app-uk.votenow.tv ssp-app-uktest.votenow.tv ssp-app-ukbench.votenow.tv session.test.bbc.co.uk session.bbc.co.uk session.stage.bbc.co.uk bitesize.files.bbci.co.uk; object-src 'none'; manifest-src static.files.bbci.co.uk bitesize.files.bbci.co.uk; media-src 'self' blob: https:; connect-src 'self' https:; child-src blob:; base-uri 'none'; form-action 'self' platform.twitter.com syndication.twitter.com uk-script.dotmetrics.net/DeviceInfo.dotmetrics account.bbc.com/auth/identifier/landing; frame-ancestors 'none'; upgrade-insecure-requests; report-to default; report-uri https://webcore.bbc-reporting-api.app/report-endpoint;
X-Frame-Options
[ STRONG ]
// Prevents clickjacking by blocking iframe embedding from other origins.
DENY
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
strict-origin-when-cross-origin
Permissions-Policy
[ PRESENT ]
// Restricts which browser features (camera, mic, etc.) the page can use.
accelerometer=(), autoplay=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"), camera=(), document-domain=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"), encrypted-media=(), fullscreen=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"), screen-wake-lock=(), sync-xhr=(self), usb=(), xr-spatial-tracking=(), browsing-topics=(), join-ad-interest-group=(), run-ad-auction=()