~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ WARNING ]
Decent but improvable (78/100) — missing: Permissions-Policy
── output ─────
78
security_score
HTTP 200 · https://www.hey.com/
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=63072000; includeSubdomains; preload
Content-Security-Policy (CSP)
[ STRONG ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
script-src 'self' 'sha256-152qnSojXPPJBO5ypmrZJeZhpvmsrci2Y3Qw5yXp7e0=' 'sha256-7cDpqsuL5+exPN4dqbhudHG9ydHdTHU1FuKCkWnh99o=' https://platform.twitter.com https://stats.hey.com https://sdks.shopifycdn.com; object-src 'self'; connect-src https://stats.hey.com https://monorail-edge.shopifysvc.com https://basecamp-kitsch.myshopify.com https://basecamp.us2.list-manage.com 'self';
X-Frame-Options
[ STRONG ]
// Prevents clickjacking by blocking iframe embedding from other origins.
DENY
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
same-origin
Permissions-Policy
[ MISSING ]
// Restricts which browser features (camera, mic, etc.) the page can use.
// missing — add this header to improve security