~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ WARNING ]
Decent but improvable (63/100) — missing: HSTS · weak: content-security-policy
── output ─────
63
security_score
HTTP 403 · https://www.economist.com/
Strict-Transport-Security (HSTS)
[ MISSING ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
// missing — add this header to improve security
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
default-src 'none'; script-src 'nonce-dA4X8ycTo0d5IqiI9SAR3P' 'unsafe-eval' https://challenges.cloudflare.com; script-src-attr 'none'; style-src 'unsafe-inline'; img-src 'self' https://challenges.cloudflare.com; connect-src 'self' https://challenges.cloudflare.com; frame-src 'self' https://challenges.cloudflare.com blob:; child-src 'self' https://challenges.cloudflare.com blob:; worker-src blob:; form-action 'self'; base-uri 'self'
X-Frame-Options
[ STRONG ]
// Prevents clickjacking by blocking iframe embedding from other origins.
SAMEORIGIN
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
same-origin
Permissions-Policy
[ PRESENT ]
// Restricts which browser features (camera, mic, etc.) the page can use.
accelerometer=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=(),xr-spatial-tracking=(self)