Security Headers Checker

HTTP 200 · https://proton.me/mail

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=31536000; includeSubDomains; preload

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

default-src 'self'; media-src https://static.zdassets.com https://res.cloudinary.com https://pmecdn.protonweb.com; connect-src 'self' wss: https://protonmail.zendesk.com https://ekr.zdassets.com blob: https://account.proton.me https://reports.proton.me https://telemetry.proton.me https://*.algolia.net https://*.algolianet.com https://go.getproton.me https://noembed.com https://boards-api.greenhouse.io https://proton.me https://*.paypal.com https://*.paypalobjects.com; script-src 'self' blob: 'unsafe-eval' 'unsafe-inline' https://static.zdassets.com https://pmecdn.protonweb.com https://www.youtube.com https://platform.twitter.com https://*.paypal.com https://*.paypalobjects.com; style-src 'self' 'unsafe-inline' https://pmecdn.protonweb.com https://*.paypal.com https://*.paypalobjects.com; font-src 'self' https://pmecdn.protonweb.com; img-src 'self' data: blob: https:; frame-src 'self' data: blob: https://www.youtube-nocookie.com https://platform.twitter.com https://*.paypal.com https://*.paypalobjects.com; object-src 'self' data: blob:; child-src 'self' data: blob: https://*.paypal.com https://*.paypalobjects.com; report-uri https://reports.proton.me/reports/csp; frame-ancestors 'self' https://*.proton.me;

[ MISSING ]

// Prevents clickjacking by blocking iframe embedding from other origins.

// missing — add this header to improve security

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ PRESENT ]

// Controls how much referrer info is leaked when navigating away.

strict-origin-when-cross-origin

[ MISSING ]

// Restricts which browser features (camera, mic, etc.) the page can use.

// missing — add this header to improve security