377 lines
12 KiB
Markdown
377 lines
12 KiB
Markdown
Basic Header:
|
||
|
||
Scoring:
|
||
|
||
C 55/100
|
||
|
||
Content Security Policy (CSP)
|
||
−25 Failed
|
||
Content Security Policy (CSP) header not implemented
|
||
|
||
Implement one, see MDN's Content Security Policy (CSP) documentation.
|
||
|
||
Cookies -
|
||
No cookies detected
|
||
|
||
None
|
||
|
||
Cross Origin Resource Sharing (CORS)
|
||
0 Passed
|
||
Content is not visible via cross-origin resource sharing (CORS) files or headers.
|
||
|
||
None
|
||
|
||
Redirection
|
||
−20 Failed
|
||
Redirects, but final destination is not an HTTPS URL.
|
||
|
||
Redirect to the same host on HTTPS first, then redirect to the final host on HTTPS.
|
||
|
||
Referrer Policy
|
||
0* Passed
|
||
Referrer-Policy header set to no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin.
|
||
|
||
None
|
||
|
||
Strict Transport Security (HSTS)
|
||
0 Passed
|
||
Strict-Transport-Security header set to a minimum of six months (15768000).
|
||
|
||
Consider preloading: this requires adding the preload and includeSubDomains directives and setting max-age to at least 31536000 (1 year), and submitting your site to <https://hstspreload.org/>.
|
||
|
||
Subresource Integrity -
|
||
Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin.
|
||
|
||
Add SRI for bonus points.
|
||
|
||
X-Content-Type-Options
|
||
0 Passed
|
||
X-Content-Type-Options header set to nosniff.
|
||
|
||
None
|
||
|
||
X-Frame-Options
|
||
0* Passed
|
||
X-Frame-Options (XFO) header set to SAMEORIGIN or DENY.
|
||
|
||
None
|
||
|
||
Cross Origin Resource Policy -
|
||
Cross Origin Resource Policy (CORP) is not implemented (defaults to cross-origin).
|
||
|
||
None
|
||
|
||
CSP analysis:
|
||
|
||
No CSP headers detected
|
||
|
||
Raw Server Headers:
|
||
|
||
Header Value
|
||
Via 1.1 Caddy
|
||
Date Thu, 18 Dec 2025 16:25:00 GMT
|
||
Vary Accept-Encoding
|
||
Pragma no-cache
|
||
Server Kestrel
|
||
Alt-Svc h3=":443"; ma=2592000
|
||
Expires -1
|
||
Connection close
|
||
Content-Type text/html
|
||
Cache-Control no-cache, no-store
|
||
Referrer-Policy strict-origin-when-cross-origin
|
||
X-Frame-Options SAMEORIGIN
|
||
X-Xss-Protection 1; mode=block
|
||
Transfer-Encoding chunked
|
||
X-Content-Type-Options nosniff
|
||
Strict-Transport-Security max-age=31536000; includeSubDomains
|
||
|
||
Strict Header:
|
||
|
||
Scoring:
|
||
|
||
B+ 80/100
|
||
|
||
Content Security Policy (CSP)
|
||
0 Passed
|
||
Content Security Policy (CSP) implemented with unsafe sources inside style-src. This includes 'unsafe-inline', data: or overly broad sources such as https. 'form-action' is set to 'self', 'none' or 'specific source'
|
||
|
||
Lock down style-src directive, removing 'unsafe-inline', data: and broad sources.
|
||
|
||
Cookies -
|
||
No cookies detected
|
||
|
||
None
|
||
|
||
Cross Origin Resource Sharing (CORS)
|
||
0 Passed
|
||
Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains.
|
||
|
||
None
|
||
|
||
Redirection
|
||
−20 Failed
|
||
Does not redirect to an HTTPS site.
|
||
|
||
Redirect to the same host on HTTPS first, then redirect to the final host on HTTPS.
|
||
|
||
Referrer Policy
|
||
0* Passed
|
||
Referrer-Policy header set to no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin.
|
||
|
||
None
|
||
|
||
Strict Transport Security (HSTS)
|
||
0 Passed
|
||
Strict-Transport-Security header set to a minimum of six months (15768000).
|
||
|
||
Consider preloading: this requires adding the preload and includeSubDomains directives and setting max-age to at least 31536000 (1 year), and submitting your site to <https://hstspreload.org/>.
|
||
|
||
Subresource Integrity -
|
||
Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin.
|
||
|
||
Add SRI for bonus points.
|
||
|
||
X-Content-Type-Options
|
||
0 Passed
|
||
X-Content-Type-Options header set to nosniff.
|
||
|
||
None
|
||
|
||
X-Frame-Options
|
||
0* Passed
|
||
X-Frame-Options (XFO) header set to SAMEORIGIN or DENY.
|
||
|
||
None
|
||
|
||
Cross Origin Resource Policy
|
||
0* Passed
|
||
Cross Origin Resource Policy (CORP) implemented, prevents leaks into cross-origin contexts.
|
||
|
||
None
|
||
|
||
CSP analysis:
|
||
|
||
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src
|
||
|
||
Passed
|
||
Blocking the execution of inline JavaScript provides CSP's strongest protection against cross-site scripting attacks. Moving JavaScript to external files can also help make your site more maintainable.
|
||
|
||
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src
|
||
|
||
Passed
|
||
Blocking the use of JavaScript's eval() function can help prevent the execution of untrusted code.
|
||
|
||
Blocks execution of plug-ins, using object-src restrictions
|
||
|
||
Passed
|
||
Blocking the execution of plug-ins via object-src 'none' or as inherited from default-src can prevent attackers from loading Flash or Java in the context of your page.
|
||
|
||
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
|
||
|
||
Failed
|
||
Blocking inline styles can help prevent attackers from modifying the contents or appearance of your page. Moving styles to external stylesheets can also help make your site more maintainable.
|
||
|
||
Blocks loading of active content over HTTP or FTP
|
||
|
||
Passed
|
||
Loading JavaScript or plugins can allow a man-in-the-middle to execute arbitrary code or your website. Restricting your policy and changing links to HTTPS can help prevent this.
|
||
|
||
Blocks loading of passive content over HTTP or FTP
|
||
|
||
Passed
|
||
This site's Content Security Policy allows the loading of passive content such as images or videos over insecure protocols such as HTTP or FTP. Consider changing them to load them over HTTPS.
|
||
|
||
Clickjacking protection, using frame-ancestors
|
||
|
||
Failed
|
||
The use of CSP's frame-ancestors directive offers fine-grained control over who can frame your site.
|
||
|
||
Deny by default, using default-src 'none'
|
||
|
||
Failed
|
||
Denying by default using default-src 'none'can ensure that your Content Security Policy doesn't allow the loading of resources you didn't intend to allow.
|
||
|
||
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins.
|
||
|
||
Failed
|
||
The <base> tag can be used to trick your site into loading scripts from untrusted origins.
|
||
|
||
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs
|
||
|
||
Failed
|
||
Malicious JavaScript or content injection could modify where sensitive form data is submitted to or create additional forms for data exfiltration.
|
||
|
||
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional)
|
||
|
||
-
|
||
|
||
'strict-dynamic' lets you use a JavaScript shim loader to load all your site's JavaScript dynamically, without having to track script-src origins.
|
||
|
||
Raw server headers:
|
||
|
||
Header Value
|
||
Via 1.1 Caddy
|
||
Date Thu, 18 Dec 2025 16:11:11 GMT
|
||
Vary Accept-Encoding
|
||
Server waitress
|
||
Alt-Svc h3=":443"; ma=2592000
|
||
Connection close
|
||
Content-Type text/html; charset=utf-8
|
||
Content-Length 815
|
||
Referrer-Policy strict-origin-when-cross-origin
|
||
X-Frame-Options DENY
|
||
X-Xss-Protection 1; mode=block
|
||
Permissions-Policy camera=(), microphone=(), geolocation=()
|
||
X-Content-Type-Options nosniff
|
||
Content-Security-Policy script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-src 'none'; object-src 'none'; default-src 'self'
|
||
Strict-Transport-Security max-age=31536000; includeSubDomains
|
||
Cross-Origin-Opener-Policy same-origin
|
||
Access-Control-Allow-Origin *
|
||
Cross-Origin-Resource-Policy same-origin
|
||
|
||
Paranoid Header:
|
||
|
||
Scoring:
|
||
|
||
B+ 80/100
|
||
|
||
Content Security Policy (CSP)
|
||
0* Passed
|
||
Content Security Policy (CSP) implemented with default-src 'none', no 'unsafe' and form-action is set to 'none' or 'self'
|
||
|
||
None
|
||
|
||
Cookies -
|
||
No cookies detected
|
||
|
||
None
|
||
|
||
Cross Origin Resource Sharing (CORS)
|
||
0 Passed
|
||
Content is not visible via cross-origin resource sharing (CORS) files or headers.
|
||
|
||
None
|
||
|
||
Redirection
|
||
−20 Failed
|
||
Redirects, but final destination is not an HTTPS URL.
|
||
|
||
Redirect to the same host on HTTPS first, then redirect to the final host on HTTPS.
|
||
|
||
Referrer Policy
|
||
0* Passed
|
||
Referrer-Policy header set to no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin.
|
||
|
||
None
|
||
|
||
Strict Transport Security (HSTS)
|
||
0 Passed
|
||
Strict-Transport-Security header set to a minimum of six months (15768000).
|
||
|
||
Consider preloading: this requires adding the preload and includeSubDomains directives and setting max-age to at least 31536000 (1 year), and submitting your site to <https://hstspreload.org/>.
|
||
|
||
Subresource Integrity -
|
||
Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin.
|
||
|
||
Add SRI for bonus points.
|
||
|
||
X-Content-Type-Options
|
||
0 Passed
|
||
X-Content-Type-Options header set to nosniff.
|
||
|
||
None
|
||
|
||
X-Frame-Options
|
||
0* Passed
|
||
X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive.
|
||
|
||
None
|
||
|
||
Cross Origin Resource Policy
|
||
0* Passed
|
||
Cross Origin Resource Policy (CORP) implemented, prevents leaks into cross-origin contexts.
|
||
|
||
None
|
||
|
||
CSP analysis:
|
||
|
||
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src
|
||
|
||
Passed
|
||
Blocking the execution of inline JavaScript provides CSP's strongest protection against cross-site scripting attacks. Moving JavaScript to external files can also help make your site more maintainable.
|
||
|
||
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src
|
||
|
||
Passed
|
||
Blocking the use of JavaScript's eval() function can help prevent the execution of untrusted code.
|
||
|
||
Blocks execution of plug-ins, using object-src restrictions
|
||
|
||
Passed
|
||
Blocking the execution of plug-ins via object-src 'none' or as inherited from default-src can prevent attackers from loading Flash or Java in the context of your page.
|
||
|
||
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
|
||
|
||
Passed
|
||
Blocking inline styles can help prevent attackers from modifying the contents or appearance of your page. Moving styles to external stylesheets can also help make your site more maintainable.
|
||
|
||
Blocks loading of active content over HTTP or FTP
|
||
|
||
Passed
|
||
Loading JavaScript or plugins can allow a man-in-the-middle to execute arbitrary code or your website. Restricting your policy and changing links to HTTPS can help prevent this.
|
||
|
||
Blocks loading of passive content over HTTP or FTP
|
||
|
||
Passed
|
||
This site's Content Security Policy allows the loading of passive content such as images or videos over insecure protocols such as HTTP or FTP. Consider changing them to load them over HTTPS.
|
||
|
||
Clickjacking protection, using frame-ancestors
|
||
|
||
Passed
|
||
The use of CSP's frame-ancestors directive offers fine-grained control over who can frame your site.
|
||
|
||
Deny by default, using default-src 'none'
|
||
|
||
Passed
|
||
Denying by default using default-src 'none'can ensure that your Content Security Policy doesn't allow the loading of resources you didn't intend to allow.
|
||
|
||
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins.
|
||
|
||
Passed
|
||
The <base> tag can be used to trick your site into loading scripts from untrusted origins.
|
||
|
||
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs
|
||
|
||
Passed
|
||
Malicious JavaScript or content injection could modify where sensitive form data is submitted to or create additional forms for data exfiltration.
|
||
|
||
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional)
|
||
|
||
-
|
||
|
||
'strict-dynamic' lets you use a JavaScript shim loader to load all your site's JavaScript dynamically, without having to track script-src origins.
|
||
|
||
Raw server headers:
|
||
|
||
Via 1.1 Caddy
|
||
Date Thu, 18 Dec 2025 16:27:58 GMT
|
||
Vary Accept-Encoding
|
||
Pragma no-cache
|
||
Server Kestrel
|
||
Alt-Svc h3=":443"; ma=2592000
|
||
Expires -1
|
||
Connection close
|
||
Content-Type text/html
|
||
Cache-Control no-store, no-cache, no-store
|
||
Referrer-Policy no-referrer
|
||
X-Frame-Options DENY
|
||
X-Xss-Protection 1; mode=block
|
||
Transfer-Encoding chunked
|
||
Permissions-Policy camera=(), microphone=(), geolocation=(), payment=(), usb=()
|
||
X-Content-Type-Options nosniff
|
||
Content-Security-Policy img-src 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'none'; default-src 'none'; font-src 'self'; frame-src 'none'; object-src 'none'; base-uri 'self'; script-src 'self'; style-src 'self'
|
||
Strict-Transport-Security max-age=31536000; includeSubDomains
|
||
Cross-Origin-Opener-Policy same-origin
|
||
Cross-Origin-Embedder-Policy require-corp
|
||
Cross-Origin-Resource-Policy same-origin
|