~/tools / security-headers

Security Headers Checker

Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.

[ OK ] Strong security headers (90/100).

── output ─────

security_score

HTTP 200 · https://www.natwest.com/

Strict-Transport-Security (HSTS)

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=31536000; includeSubDomains; preload

Content-Security-Policy (CSP)

[ STRONG ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

upgrade-insecure-requests;

X-Frame-Options

[ STRONG ]

// Prevents clickjacking by blocking iframe embedding from other origins.

SAMEORIGIN

X-Content-Type-Options

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

Referrer-Policy

[ PRESENT ]

// Controls how much referrer info is leaked when navigating away.

strict-origin-when-cross-origin

Permissions-Policy

[ PRESENT ]

// Restricts which browser features (camera, mic, etc.) the page can use.

geolocation=(self "https://natwest.com")

// Save natwest.com → we'll run this daily and alert on changes. /signup →