~/tools / security-headers

Security Headers Checker

Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.

[ WARNING ] Decent but improvable (52/100) — missing: X-Frame-Options, Permissions-Policy · weak: content-security-policy

── output ─────

security_score

HTTP 200 · https://outlook.live.com/mail/

Strict-Transport-Security (HSTS)

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=31536000; includeSubDomains

Content-Security-Policy (CSP)

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

default-src *.res.office365.com *.fluidpreview.office.net *.cdn.office.net *.df.onecdn.static.microsoft *.public.onecdn.static.microsoft swx.cdn.skype.com 'self'; script-src 'nonce-GcdflVm0vBcbRIho6zovdQ==' *.res.office365.com *.fluidpreview.office.net wss://*.delve.office.com:443 shellprod.msocdn.com amcdn.msauth.net amcdn.msftauth.net *.skype.com *.skypeassets.com *.delve.office.com *.cdn.office.net *.df.onecdn.static.microsoft *.public.onecdn.static.microsoft static.teams.microsoft.com teams.microsoft.com cdn.forms.office.net content.lifecycle.office.net blob: 'report-sample' 'self' 'wasm-unsafe-eval' acdn.adnxs.com cdn.adnxs.com; style-src *.res.office365.com *.fluidpreview.office.net *.cdn.office.net *.df.onecdn.static.microsoft *.public.onecdn.static.microsoft shellprod.msocdn.com *.skype.com 'self' 'report-sample' 'unsafe-inline' *.engage.cloud.microsoft; img-src * data: blob: filesystem: cid:; connect-src blob: data: *.res.office365.com *.fluidpreview.office.net *.cdn.office.net *.df.onecdn.static.microsoft *.public.onecdn.static.microsoft *.services.web.outlook.com login.live.com login.microsoftonline.com spoprod-a.akamaihd.net shellprod.msocdn.com *.bing.com *.office.net *.office.com *.office365.com *.officeapps.live.com *.skype.com *.skypeassets.com *.onedrive.com onedrive.cloud.microsoft my.microsoftpersonalcontent.com browser.pipe.aria.microsoft.com *.gateway.messenger.live.com dev.virtualearth.net *.trouter.skype.com *.trouter.io wss://*.trouter.skype.com wss://*.trouter.skype.com:443 wss://*.trouter.io:443 media.licdn.com *.facebook.com onerm.olsvc.com *.qas.binginternal.com *.qas.bing.net wss://*.qas.bing.net:443 wss://*.platform.bing.com wss://*.botframework.com:443 wss://augloop.office.com wss://*.augloop.office.com outlook.live.com graph.microsoft.com *.graph.microsoft.com *.office.microsoft.com api.box.com api.dropboxapi.com *.users.storage.live.com www.onenote.com *.storage.msn.com wss://*.pushd.svc.ms wss://*.pushs.svc.ms wss://*.pushb.svc.ms wss://*.pushp.svc.ms wss://*.svc.ms pptservicescast.officeapps.live.com *.sharepoint-df.com *.sharepoint.com wss://*.delve.office.com:443 wss://*.loki.delve.office.com:443 wss://*.loki.delve.office.com *.delve.office.com *.loki.delve.office.com web.vortex.data.microsoft.com *.events.data.microsoft.com *.online.lync.com *.infra.lync.com wss://*.cortana.ai *.cortana.ai fs.microsoft.com newspro.microsoft.com api.aadrm.com config.edge.skype.com content.lifecycle.office.net *.cp.microsoft.com *.mp.microsoft.com *.m365.microsoft.com *.payments.microsoft.com *.account.microsoft.com checkout.office.com smbpurchase.omex.office.net commerceapi.office.net commercemgmt.m365.microsoft.com checkout.microsoft365.com officeclient.microsoft.com editor.svc.cloud.microsoft 'self' attachment.outlook.live.net *.adnxs.com api.taboola.com api.msn.com ris.api.iris.microsoft.com srtb.msn.com *.engage.cloud.microsoft wss://augloop-gcc.office.com wss://*.augloop-gcc.office.com wss://augloop.svc.cloud.microsoft wss://*.augloop.svc.cloud.microsoft aesir.office.com *.oscs.protection.outlook.com *.safelinks.protection.outlook.com arc.msn.com arc-emea.msn.com fd.api.iris.microsoft.com *.dynamics.com *.mos.microsoft.com ris.api.iris.microsoft.com eudb.ris.api.iris.microsoft.com services.bingapis.com prod-autodetect.outlookmobile.com prod.autodetect.outlook.cloud.microsoft *.googleapis.com admin.microsoft.com *.bpa.microsoft.com teams.cloud.microsoft api.tenor.com attachment.outlook.live.net *.msedge.net app.whiteboard.microsoft.com whiteboard.office.com whiteboard.cloud.microsoft outlook.cloud.microsoft identity.osi.office.net wss://substrate.office.com *.adnxs.com wss://*.trouter.teams.microsoft.com api.flow.microsoft.com *.sharepoint.de proxy.uet.s.microsoft.com rtb.linkedin.com bat.bing.net; base-uri browser.pipe.aria.microsoft.com 'self'; form-action *.officeapps.live.com *.sharepoint-df.com *.sharepoint.com *.odwebp.svc.ms login.microsoftonline.com m365copilotapp.svc.cloud.microsoft login.live.com *.sharepoint.de login.live.com; object-src *.office.net 'self' blob: attachment.outlook.live.net attachments.office.net attachments.outlook.usercontent.microsoft attachment.outlook.live.net blob:; frame-ancestors 'self' teams.microsoft.com; font-src data: *.res.office365.com *.fluidpreview.office.net *.cdn.office.net *.df.onecdn.static.microsoft *.public.onecdn.static.microsoft spoprod-a.akamaihd.net *.skype.com ms-appx-web: sharepointonline.com *.sharepointonline.com *.delve.office.com fs.microsoft.com static2.sharepointonline.com 'self' *.engage.cloud.microsoft; media-src blob: data: *.res.office365.com *.cdn.office.net *.df.onecdn.static.microsoft *.public.onecdn.static.microsoft *.sharepoint-df.com *.skype.com *.office.net *.office365.net *.office365-net.us *.office.com 'self' attachment.outlook.live.net *.adnxs.com *.engage.cloud.microsoft attachments.office.net attachments.outlook.usercontent.microsoft attachment.outlook.live.net *.sharepoint.com *.sharepoint.de; frame-src * data: mailto: blob:; manifest-src 'self'; worker-src 'self' blob: *.office.com; child-src 'self' blob: *.office.com; require-trusted-types-for 'script'; trusted-types owaTrustedTypesPolicy owa#webpack cdn-url#oneshell safe-xml#oneshell workerScriptTrustedTypesPolicy augloopTrustedTypesPolicy 1DSScriptURL dompurify adaptivecards#deprecatedExportedFunctionPolicy highcharts owaAdsTrustedTypesPolicy @msteams/embed-client @fluidx/loop workerPolicy MeControlScriptURL adaptivecards#markdownPassthroughPolicy fast-html adaptivecards#restoreContentsPolicy @1js/midgard-trusted-types @1js/lpc-common-web#webpack @centro/hvc-loader html2canvas osfRuntimeScriptPolicy yammer-outlook-trusted-types-policy#webpack @azure/ms-rest-js#xml.browser react-virtualized-auto-sizer lit-html officebrowserfeedback#domUtils troubleshootPolicy consolePolicy ori_importmap TrustedTypePolicyFactory workerScriptPolicy iFrameDocumentTrustedTypesPolicy nativePdfPreviewTrustedTypesPolicy workerLoaderTrustedTypesPolicy @1js/search-converged-hostapp-owa-bundle#webpack suiteuxShellTrustedTypesPolicy @azure/core-xml#xml.browser @1js/midgard-bootstrapper#webpack trustedInnerHTMLPolicy domUtilsTrustedTypePolicy dangerouslySetInnerHTMLPolicy overlayScrollbarsTrustedTypesPolicy @msteams/services-io-browser-web-client-update#register-service-worker @fluidx/loop#loop-page-container @fluidx/loop#odsp-driver @fluidx/loop#office-fluid-container @fluidx/loop#sourceless-iframe webpack-dev-server#overlay placesMapWorkerPolicy @fluidx/loop-app-worker-template ori-worker-policy default owaLoopTrustedTypesPolicy owaTeamsClientTrustedTypesPolicy owaMeControlTrustedTypesPolicy ast-policy domPurifyHTML emptyStringPolicyHTML 'allow-duplicates'; report-uri https://csp.microsoft.com/report/OutlookWeb-Mail-PROD; upgrade-insecure-requests;

X-Frame-Options

[ MISSING ]

// Prevents clickjacking by blocking iframe embedding from other origins.

// missing — add this header to improve security

X-Content-Type-Options

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

Referrer-Policy

[ PRESENT ]

// Controls how much referrer info is leaked when navigating away.

strict-origin

Permissions-Policy

[ MISSING ]

// Restricts which browser features (camera, mic, etc.) the page can use.

// missing — add this header to improve security

// Save outlook.com → we'll run this daily and alert on changes. /signup →