~/tools / security-headers

Security Headers Checker

Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.

>
[ WARNING ] Decent but improvable (68/100) — missing: Permissions-Policy · weak: content-security-policy
── output ─────
68
security_score
HTTP 200 · https://www.snsbank.nl/particulier/home.html
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=63072000 ; includeSubDomains ; preload
Content-Security-Policy (CSP)
[ WEAK ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
default-src 'self'; script-src 'nonce-SFhAwUMH7O4pQ+vO0y1L57VhfDVziUCL' 'self' 'unsafe-inline' 'unsafe-eval' 'report-sample' https://assets.adobedtm.com https://d6tizftlrpuof.cloudfront.net https://maps.googleapis.com https://www.google-analytics.com https://www.googletagmanager.com https://api.usabilla.com https://w.usabilla.com https://*.snsbank.nl https://tagmanager.google.com https://www.youtube.com https://connect.facebook.net https://cdn.cookielaw.org https://translate.google.com static.sns.nl https://api.vb.seamly-app.com; connect-src 'self' https: https://region1.google-analytics.com https://cdn.cookielaw.org https://dpm.demdex.net https://www.google-analytics.com https://snsbank.tt.omtrdc.net https://stats.g.doubleclick.net https://swa.snsbank.nl https://www.googletagmanager.com https://maps.googleapis.com https://snsbank.sc.omtrdc.net https://*.advieskeuze.nl wss://api.vb.seamly-app.com static.sns.nl https://api.vb.seamly-app.com; font-src 'self' data: https: https://fonts.gstatic.com; frame-src 'self' https: https://srv.devolksbank.nl https://snsbank.demdex.net https://d6tizftlrpuof.cloudfront.net https://www.youtube.com https://www.googletagmanager.com/; img-src 'self' data: https: https://googleads.g.doubleclick.net https://swa.snsbank.nl https://www.google-analytics.com https://www.googletagmanager.com https://charting.vwdservices.com https://maps.gstatic.com https://www.googleadservices.com https://cdn.cookielaw.org https://www.facebook.com https://d6tizftlrpuof.cloudfront.net https://www.google.be https://www.google.com https://www.google.nl https://www.google.co.uk https://maps.googleapis.com https://www.snsbank.nl https://www.gstatic.com https://bat.bing.com https://dpm.demdex.net https://cm.g.doubleclick.net https://ssl.gstatic.com https://w.usabilla.com https://px.ads.linkedin.com https://secure.adnxs.com; manifest-src 'self'; media-src 'self' data:; style-src 'self' 'unsafe-inline' https: https://fonts.googleapis.com https://tagmanager.google.com https://d6tizftlrpuof.cloudfront.net https://www.googletagmanager.com; object-src 'self'; report-uri /web/reportreceiver;
X-Frame-Options
[ STRONG ]
// Prevents clickjacking by blocking iframe embedding from other origins.
SAMEORIGIN
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
strict-origin-when-cross-origin
Permissions-Policy
[ MISSING ]
// Restricts which browser features (camera, mic, etc.) the page can use.
// missing — add this header to improve security
// Save sns.nl → we'll run this daily and alert on changes. /signup →