~/tools / security-headers

Security Headers Checker

Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.

>
[ WARNING ] Below average (47/100) — missing: Referrer-Policy, Permissions-Policy · weak: content-security-policy, x-content-type-options
── output ─────
47
security_score
HTTP 200 · https://www.figma.com/
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=31536000; includeSubDomains; preload
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
default-src 'self' https://accounts.google.com/gsi/ ; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://platform.twitter.com/js/ https://platform.twitter.com/widgets.js https://player.vimeo.com/api/player.js https://www.youtube.com/iframe_api https://www.youtube.com/s/player/ https://accounts.google.com/gsi/client https://adora-cdn.com/adora-start.js ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://accounts.google.com/gsi/style ; object-src 'none' ; base-uri 'self' ; font-src 'self' https://fonts.gstatic.com ; connect-src 'self' https://static.figma.com https://forms.figma.com https://boards-api.greenhouse.io/v1/boards/figma/jobs https://vimeo.com https://accounts.google.com/gsi/ https://figma.com/api/figment-proxy/monitor https://staging.figma.com/api/figment-proxy/monitor https://figma.com/api/figment-proxy/identify https://staging.figma.com/api/figment-proxy/identify https://figma.com/api/figment-proxy/page https://staging.figma.com/api/figment-proxy/page https://cdn.sanity.io https://events.statsigapi.net/v1/rgstr https://statsigapi.net/v1/sdk_exception https://prodregistryv2.org/v1/rgstr https://featuregates.org/v1/initialize https://featureassets.org/v1/initialize https://o22594.ingest.sentry.io *.adora-cdn.com https://figma-marketing-tools.vercel.app/api/white-background ; frame-src 'self' *.figma.site https://www.figma.com https://marketing.figma.com https://marketing.staging.figma.com https://platform.twitter.com https://player.vimeo.com https://www.youtube.com https://accounts.google.com/gsi/ https://figma.com/api/figment-proxy/monitor https://staging.figma.com/api/figment-proxy/monitor https://figma.com/api/figment-proxy/identify https://staging.figma.com/api/figment-proxy/identify https://figma.com/api/figment-proxy/page https://staging.figma.com/api/figment-proxy/page ; img-src 'self' data: blob: https://cdn.sanity.io https://i.vimeocdn.com https://*.figma.com https://i.ytimg.com https://www.gravatar.com https://i0.wp.com/s3-alpha.figma.com/ https://i1.wp.com/s3-alpha.figma.com/ https://i2.wp.com/s3-alpha.figma.com/ https://i3.wp.com/s3-alpha.figma.com/ ; media-src 'self' https://cdn.sanity.io https://static.figma.com ; worker-src 'self' ; upgrade-insecure-requests
X-Frame-Options
[ STRONG ]
// Prevents clickjacking by blocking iframe embedding from other origins.
SAMEORIGIN
X-Content-Type-Options
[ WEAK ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff, nosniff
Referrer-Policy
[ MISSING ]
// Controls how much referrer info is leaked when navigating away.
// missing — add this header to improve security
Permissions-Policy
[ MISSING ]
// Restricts which browser features (camera, mic, etc.) the page can use.
// missing — add this header to improve security
// Save figma.com → we'll run this daily and alert on changes. /signup →