~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ WARNING ]
Decent but improvable (68/100) — missing: Referrer-Policy · weak: content-security-policy
── output ─────
68
security_score
HTTP 200 · https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fmail.google.com%2Fmail%2Fu%2F0%2F&dsh=S-1089715277%3A1776783691862106&emr=1&flowEntry=ServiceLogin&flowName=WebLiteSignIn&followup=https%3A%2F%2Fmail.google.com%2Fmail%2Fu%2F0%2F&ifkv=AT1y2_WZMTFW1o32QccDF12gQxyv_EgMzBSVAQGPAugge7LWV_1NEMVfOeHcscef5hmvz_FaP9DRZg&osid=1&passive=1209600&service=mail
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=31536000; includeSubDomains
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
script-src 'report-sample' 'nonce-nJb6Bx-Yua1MVLdWjyVuYg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /v3/signin/_/AccountsSignInUi/cspreport;worker-src 'self', require-trusted-types-for 'script';report-uri /v3/signin/_/AccountsSignInUi/cspreport
X-Frame-Options
[ STRONG ]
// Prevents clickjacking by blocking iframe embedding from other origins.
DENY
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ MISSING ]
// Controls how much referrer info is leaked when navigating away.
// missing — add this header to improve security
Permissions-Policy
[ PRESENT ]
// Restricts which browser features (camera, mic, etc.) the page can use.
ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*