~/tools / security-headers

Security Headers Checker

Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.

[ WARNING ] Decent but improvable (50/100) — missing: X-Frame-Options, Referrer-Policy, Permissions-Policy

── output ─────

security_score

HTTP 200 · https://www.otto.de/

Strict-Transport-Security (HSTS)

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=31536000

Content-Security-Policy (CSP)

[ STRONG ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

frame-ancestors 'self' https://*.otto.de https://*.ottogroup.com https://og2gether.sharepoint.com https://otto.mpp360.cloud https://internal.otto.market;

X-Frame-Options

[ MISSING ]

// Prevents clickjacking by blocking iframe embedding from other origins.

// missing — add this header to improve security

X-Content-Type-Options

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

Referrer-Policy

[ MISSING ]

// Controls how much referrer info is leaked when navigating away.

// missing — add this header to improve security

Permissions-Policy

[ MISSING ]

// Restricts which browser features (camera, mic, etc.) the page can use.

// missing — add this header to improve security

// Save otto.de → we'll run this daily and alert on changes. /signup →