~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ WARNING ]
Decent but improvable (52/100) — missing: X-Frame-Options, Permissions-Policy · weak: content-security-policy
── output ─────
52
security_score
HTTP 200 · https://www.klarna.com/nl/?grr=empty&grs=%2F
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=31536000; includeSubDomains; preload
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
default-src 'self';script-src 'self' 'strict-dynamic' 'nonce-85ad7918-110a-4d6f-9f04-1beb26c00bdd' 'report-sample' https://owp.klarna.com/ https://cdn.cookielaw.org/;style-src 'self' 'unsafe-inline' 'report-sample' https://owp.klarna.com/ https://www.gstatic.com/ https://x.klarnacdn.net/;img-src 'self' data: blob: https: chrome-extension:;media-src 'self' data: https: blob:;connect-src 'self' *.google.com *.google-analytics.com *.googlesyndication.com *.googletagmanager.com www.googleadservices.com *.adtrafficquality.google fonts.googleapis.com translate.googleapis.com fonts.gstatic.com www.gstatic.com ssl.google-analytics.com csi.gstatic.com *.g.doubleclick.net bat.bing.com *.klarna.com klarna-eu.api.unboxai.com klarna.atlassian.net production.videos.production.eu1.influencer-platform.klarna.net x.klarnacdn.net assets.klarnacdn.net api.videoly.co o24547.ingest.us.sentry.io *.onetrust.com *.cookielaw.org cookies-data.onetrust.io www.youtube.com images.ctfassets.net videos.ctfassets.net images.pricerunner.com evt2.klarna.app tr.snapchat.com tr6.snapchat.com sc-static.net ams.creativecdn.com facdn.financeads.net ;font-src 'self' https: data:;frame-src 'self' *.snapchat.com *.klarna.com *.klarnacdn.net *.adtrafficquality.google *.googlesyndication.com *.googletagmanager.com *.googleadservices.com *.googletagservices.com *.doubleclick.net *.google.com www.youtube.com www.youtube-nocookie.com *.criteo.com osm.klarnaservices.com open.spotify.com ams.creativecdn.com hackerone.com neu.mein-onlineantrag.de widget.trustpilot.com platform.twitter.com syndication.twitter.com;base-uri 'self';manifest-src 'self';object-src 'none';frame-ancestors 'self' *.klarna.com app.contentful.com;upgrade-insecure-requests
X-Frame-Options
[ MISSING ]
// Prevents clickjacking by blocking iframe embedding from other origins.
// missing — add this header to improve security
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
strict-origin-when-cross-origin
Permissions-Policy
[ MISSING ]
// Restricts which browser features (camera, mic, etc.) the page can use.
// missing — add this header to improve security