~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ WARNING ]
Decent but improvable (52/100) — missing: X-Frame-Options, Referrer-Policy · weak: content-security-policy
── output ─────
52
security_score
HTTP 200 · https://www.paypal.com/nl/home
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=63072000; includeSubDomains; preload
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
default-src 'self' https://*.paypal.com https://*.paypalobjects.com 'unsafe-inline'; style-src 'self' https://*.paypal.com https://*.paypalobjects.com 'unsafe-inline'; script-src 'nonce-MzdlZTBhZGYtZTNhYi00ZmNkLWIyZDAtNDYyNGE0MmE5MGVk' 'self' 'unsafe-inline' https://*.paypal.com https://*.paypalobjects.com https://ad.doubleclick.net https://ade.googlesyndication.com https://adservice.google.com https://googleads.g.doubleclick.net https://googletagmanager.com https://pagead2.googlesyndication.com https://pypd.paypal-mktg.com https://tagmanager.google.com https://www.google.com https://www.googleadservices.com https://www.googletagmanager.com; img-src 'self' https: data: https://region1.analytics.google.com https://region1.google-analytics.com https://www.analytics.google.com https://www.google-analytics.com; object-src 'none'; font-src 'self' https://*.paypal.com https://*.paypalobjects.com; frame-src 'self' https://*.company-target.com https://*.paypal.com https://*.paypalobjects.com https://www.googletagmanager.com https://www.youtube-nocookie.com https://*.qualtrics.com; frame-ancestors 'self' https://*.paypal.com; connect-src 'self' 'unsafe-inline' https://*.adsrvr.org https://*.company-target.com https://*.demandbase.com https://*.paypal.com https://*.paypalobjects.com https://ad.doubleclick.net https://adservice.google.com https://browser-intake-us5-datadoghq.com https://google.com https://googleads.g.doubleclick.net https://pagead2.googlesyndication.com https://prod.uidapi.com https://region1.analytics.google.com https://region1.google-analytics.com https://www.analytics.google.com https://www.google-analytics.com https://www.google.com https://www.googleadservices.com https://www.googletagmanager.com www.google.com www.googletagmanager.com https://*.qualtrics.com; form-action 'self' https://*.paypal.com; base-uri 'self' https://*.paypal.com; upgrade-insecure-requests;; report-uri https://www.paypal.com/csplog/api/log/csp
X-Frame-Options
[ MISSING ]
// Prevents clickjacking by blocking iframe embedding from other origins.
// missing — add this header to improve security
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ MISSING ]
// Controls how much referrer info is leaked when navigating away.
// missing — add this header to improve security
Permissions-Policy
[ PRESENT ]
// Restricts which browser features (camera, mic, etc.) the page can use.
ch-ua-platform-version=(self "https://c.paypal.com"),ch-ua-arch=(self "https://c.paypal.com"),ch-ua-wow64=(self "https://c.paypal.com"),ch-ua-model=(self "https://c.paypal.com"),ch-ua-bitness=(self "https://c.paypal.com"),ch-ua-full-version=(self "https://c.paypal.com"),ch-ua-full-version-list=(self "https://c.paypal.com")