~/tools / security-headers
Security Headers Checker
Scan HTTP security headers. Grades HSTS, CSP, X-Frame-Options and others, with explanations of what each header protects.
[ WARNING ]
Decent but improvable (62/100) — missing: X-Frame-Options, Permissions-Policy
── output ─────
62
security_score
HTTP 200 · https://www.yahoo.com/
Strict-Transport-Security (HSTS)
[ STRONG ]
// Forces HTTPS for all connections. Prevents downgrade attacks.
max-age=31536000
Content-Security-Policy (CSP)
[ STRONG ]
// Defines which sources of scripts/styles/images are allowed. Prevents XSS.
frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.pnr.ouryahoo.com https://pnr.ouryahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.onesearch.com https://*.verizonmedia.com https://*.publishing.oath.com https://cdn.taboola.com https://ads.taboola.com chrome-extension://jdanfkhnfpagoijgfmklhgakdicpnfil; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation allow-top-navigation-by-user-activation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=news®ion=US&lang=en-US&device=desktop&yrid=6o9nr8tivmg0j&partner=;
X-Frame-Options
[ MISSING ]
// Prevents clickjacking by blocking iframe embedding from other origins.
// missing — add this header to improve security
X-Content-Type-Options
[ STRONG ]
// Prevents MIME sniffing. Should be 'nosniff'.
nosniff
Referrer-Policy
[ PRESENT ]
// Controls how much referrer info is leaked when navigating away.
no-referrer-when-downgrade
Permissions-Policy
[ MISSING ]
// Restricts which browser features (camera, mic, etc.) the page can use.
// missing — add this header to improve security