~/tools / security-headers

Security Headers Checker

Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.

>
[ WARNING ] Decent but improvable (52/100) — missing: X-Frame-Options, Permissions-Policy · weak: content-security-policy
── output ─────
52
security_score
HTTP 200 · https://linear.app
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=63072000; includeSubDomains
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
default-src 'self' https://static.linear.app https://static.linear.dev; connect-src 'self' https://o415358.ingest.sentry.io/api/5337513/ https://o415358.ingest.sentry.io/api/4504277957279744/ wss://ornj730p.api.sanity.io/ https://ornj730p.apicdn.sanity.io/ https://*.linear.app https://9RXBCYQ6DV-dsn.algolia.net https://linearstatus.com/ https://statuspage.incident.io/ https://app.posthog.com https://api.github.com/ https://raw.githubusercontent.com/ https://www.githubstatus.com/ https://dns.google/ http://127.0.0.1:44450/ http://127.0.0.1:18450/ http://127.0.0.1:33234/ https://api.linear.app https://client-api.linear.app wss://sync.linear.app/ https://storage.googleapis.com/uploads.linear.app/ https://storage.googleapis.com/linear-uploads-europe-west1/ https://storage.googleapis.com/linear-uploads-us-central1/ https://storage.googleapis.com/imports.linear.app/ https://storage.googleapis.com/linear-imports-europe-west1/ https://storage.googleapis.com/linear-imports-us-central1/ https://storage.googleapis.com/public.linear.app/ https://ornj730p.api.sanity.io/; script-src 'unsafe-inline' 'self' blob: https://js.stripe.com/v3 https://jobs.ashbyhq.com/Linear/embed https://e.linear.app https://challenges.cloudflare.com/turnstile/ 'wasm-unsafe-eval' https://static.linear.app https://static.linear.dev; worker-src 'self' blob: https://static.linear.app https://static.linear.dev; style-src 'self' 'unsafe-inline' https://static.linear.app https://static.linear.dev; font-src 'self' data: https://static.linear.app https://static.linear.dev; img-src 'self' data: blob: https://*.linear.app https://*.googleusercontent.com https://cdn.sanity.io/images/ornj730p/ https://webassets.linear.app https://linear.app/cdn-cgi/imagedelivery/ https://avatars.githubusercontent.com https://i.ytimg.com/vi/ https://avatars.slack-edge.com https://pbs.twimg.com/profile_images/ https://pbs.twimg.com/ext_tw_video_thumb/ https://secure.gravatar.com; frame-ancestors 'self' https://cms.linear.app; frame-src *; media-src blob: https://uploads.linear.app https://client-api.linear.app https://public.linear.app https://imports.linear.app https://static.linear.app https://webassets.linear.app https://cdn.sanity.io/files/ornj730p/ https://video.twimg.com/ext_tw_video/ https://linear.app/static/; base-uri 'self'; report-uri https://api.linear.app/report-violation
X-Frame-Options
[ MISSING ]
// Prevents clickjacking by blocking iframe embedding from other origins.
// missing — add this header to improve security
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
same-origin
Permissions-Policy
[ MISSING ]
// Restricts which browser features (camera, mic, etc.) the page can use.
// missing — add this header to improve security
// Save linear.app → we'll run this daily and alert on changes. /signup →