~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ CRITICAL ]
Weak security posture (23/100) — missing: HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy · weak: content-security-policy
── output ─────
23
security_score
HTTP 200 · https://edition.cnn.com/
Strict-Transport-Security (HSTS)
[ MISSING ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
// missing — add this header to improve security
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
default-src 'self' blob: https://*.cnn.com:* http://*.cnn.com:* *.cnn.io:* *.cnn.net:* *.turner.com:* *.turner.io:* *.ugdturner.com:* courageousstudio.com *.vgtf.net:*; script-src 'unsafe-eval' 'unsafe-inline' 'self' *; style-src 'unsafe-inline' 'self' blob: *; child-src 'self' blob: *; frame-src 'self' *; object-src 'self' *; img-src 'self' data: blob: *; media-src 'self' data: blob: *; font-src 'self' data: *; connect-src 'self' data: *; frame-ancestors 'self' https://*.cnn.com:* http://*.cnn.com https://*.cnn.io:* http://*.cnn.io:* *.turner.com:* courageousstudio.com;
X-Frame-Options
[ MISSING ]
// Prevents clickjacking by blocking iframe embedding from other origins.
// missing — add this header to improve security
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ MISSING ]
// Controls how much referrer info is leaked when navigating away.
// missing — add this header to improve security
Permissions-Policy
[ MISSING ]
// Restricts which browser features (camera, mic, etc.) the page can use.
// missing — add this header to improve security