~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ WARNING ]
Decent but improvable (63/100) — missing: X-Frame-Options · weak: content-security-policy
── output ─────
63
security_score
HTTP 200 · https://www.faz.net/aktuell/
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=31536000; includeSubDomains
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
base-uri 'self' *.adform.net https://cdn.justpremium.com; font-src 'self' https: data: *.taboola.com; form-action 'self'; frame-ancestors *; img-src 'self' https: data: *.testfaz.net *.faz.net *.taboola.com; object-src 'self'; script-src-attr 'unsafe-inline'; style-src https: 'unsafe-inline' 'self' *.testfaz.net *.faz.net *.taboola.com; script-src 'unsafe-inline' 'unsafe-eval' https: *; upgrade-insecure-requests; connect-src *; default-src 'self' https:; frame-src *; media-src 'self' https: data:; worker-src * blob:;
X-Frame-Options
[ MISSING ]
// Prevents clickjacking by blocking iframe embedding from other origins.
// missing — add this header to improve security
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
strict-origin-when-cross-origin
Permissions-Policy
[ PRESENT ]
// Restricts which browser features (camera, mic, etc.) the page can use.
camera=(), display-capture=(), fullscreen=(self "https://www.youtube.com"), geolocation=(), microphone=()