12 KiB
Basic Header:
Scoring:
C 55/100
Content Security Policy (CSP) −25 Failed Content Security Policy (CSP) header not implemented
Implement one, see MDN's Content Security Policy (CSP) documentation.
Cookies - No cookies detected
None
Cross Origin Resource Sharing (CORS) 0 Passed Content is not visible via cross-origin resource sharing (CORS) files or headers.
None
Redirection −20 Failed Redirects, but final destination is not an HTTPS URL.
Redirect to the same host on HTTPS first, then redirect to the final host on HTTPS.
Referrer Policy 0* Passed Referrer-Policy header set to no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin.
None
Strict Transport Security (HSTS) 0 Passed Strict-Transport-Security header set to a minimum of six months (15768000).
Consider preloading: this requires adding the preload and includeSubDomains directives and setting max-age to at least 31536000 (1 year), and submitting your site to https://hstspreload.org/.
Subresource Integrity - Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin.
Add SRI for bonus points.
X-Content-Type-Options 0 Passed X-Content-Type-Options header set to nosniff.
None
X-Frame-Options 0* Passed X-Frame-Options (XFO) header set to SAMEORIGIN or DENY.
None
Cross Origin Resource Policy - Cross Origin Resource Policy (CORP) is not implemented (defaults to cross-origin).
None
CSP analysis:
No CSP headers detected
Raw Server Headers:
Header Value Via 1.1 Caddy Date Thu, 18 Dec 2025 16:25:00 GMT Vary Accept-Encoding Pragma no-cache Server Kestrel Alt-Svc h3=":443"; ma=2592000 Expires -1 Connection close Content-Type text/html Cache-Control no-cache, no-store Referrer-Policy strict-origin-when-cross-origin X-Frame-Options SAMEORIGIN X-Xss-Protection 1; mode=block Transfer-Encoding chunked X-Content-Type-Options nosniff Strict-Transport-Security max-age=31536000; includeSubDomains
Strict Header:
Scoring:
B+ 80/100
Content Security Policy (CSP) 0 Passed Content Security Policy (CSP) implemented with unsafe sources inside style-src. This includes 'unsafe-inline', data: or overly broad sources such as https. 'form-action' is set to 'self', 'none' or 'specific source'
Lock down style-src directive, removing 'unsafe-inline', data: and broad sources.
Cookies - No cookies detected
None
Cross Origin Resource Sharing (CORS) 0 Passed Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains.
None
Redirection −20 Failed Does not redirect to an HTTPS site.
Redirect to the same host on HTTPS first, then redirect to the final host on HTTPS.
Referrer Policy 0* Passed Referrer-Policy header set to no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin.
None
Strict Transport Security (HSTS) 0 Passed Strict-Transport-Security header set to a minimum of six months (15768000).
Consider preloading: this requires adding the preload and includeSubDomains directives and setting max-age to at least 31536000 (1 year), and submitting your site to https://hstspreload.org/.
Subresource Integrity - Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin.
Add SRI for bonus points.
X-Content-Type-Options 0 Passed X-Content-Type-Options header set to nosniff.
None
X-Frame-Options 0* Passed X-Frame-Options (XFO) header set to SAMEORIGIN or DENY.
None
Cross Origin Resource Policy 0* Passed Cross Origin Resource Policy (CORP) implemented, prevents leaks into cross-origin contexts.
None
CSP analysis:
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src
Passed Blocking the execution of inline JavaScript provides CSP's strongest protection against cross-site scripting attacks. Moving JavaScript to external files can also help make your site more maintainable.
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src
Passed Blocking the use of JavaScript's eval() function can help prevent the execution of untrusted code.
Blocks execution of plug-ins, using object-src restrictions
Passed Blocking the execution of plug-ins via object-src 'none' or as inherited from default-src can prevent attackers from loading Flash or Java in the context of your page.
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
Failed Blocking inline styles can help prevent attackers from modifying the contents or appearance of your page. Moving styles to external stylesheets can also help make your site more maintainable.
Blocks loading of active content over HTTP or FTP
Passed Loading JavaScript or plugins can allow a man-in-the-middle to execute arbitrary code or your website. Restricting your policy and changing links to HTTPS can help prevent this.
Blocks loading of passive content over HTTP or FTP
Passed This site's Content Security Policy allows the loading of passive content such as images or videos over insecure protocols such as HTTP or FTP. Consider changing them to load them over HTTPS.
Clickjacking protection, using frame-ancestors
Failed The use of CSP's frame-ancestors directive offers fine-grained control over who can frame your site.
Deny by default, using default-src 'none'
Failed Denying by default using default-src 'none'can ensure that your Content Security Policy doesn't allow the loading of resources you didn't intend to allow.
Restricts use of the tag by using base-uri 'none', base-uri 'self', or specific origins.
Failed The tag can be used to trick your site into loading scripts from untrusted origins.
Restricts where
contents may be submitted by using form-action 'none', form-action 'self', or specific URIsFailed Malicious JavaScript or content injection could modify where sensitive form data is submitted to or create additional forms for data exfiltration.
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional)
'strict-dynamic' lets you use a JavaScript shim loader to load all your site's JavaScript dynamically, without having to track script-src origins.
Raw server headers:
Header Value Via 1.1 Caddy Date Thu, 18 Dec 2025 16:11:11 GMT Vary Accept-Encoding Server waitress Alt-Svc h3=":443"; ma=2592000 Connection close Content-Type text/html; charset=utf-8 Content-Length 815 Referrer-Policy strict-origin-when-cross-origin X-Frame-Options DENY X-Xss-Protection 1; mode=block Permissions-Policy camera=(), microphone=(), geolocation=() X-Content-Type-Options nosniff Content-Security-Policy script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-src 'none'; object-src 'none'; default-src 'self' Strict-Transport-Security max-age=31536000; includeSubDomains Cross-Origin-Opener-Policy same-origin Access-Control-Allow-Origin * Cross-Origin-Resource-Policy same-origin
Paranoid Header:
Scoring:
B+ 80/100
Content Security Policy (CSP) 0* Passed Content Security Policy (CSP) implemented with default-src 'none', no 'unsafe' and form-action is set to 'none' or 'self'
None
Cookies - No cookies detected
None
Cross Origin Resource Sharing (CORS) 0 Passed Content is not visible via cross-origin resource sharing (CORS) files or headers.
None
Redirection −20 Failed Redirects, but final destination is not an HTTPS URL.
Redirect to the same host on HTTPS first, then redirect to the final host on HTTPS.
Referrer Policy 0* Passed Referrer-Policy header set to no-referrer, same-origin, strict-origin or strict-origin-when-cross-origin.
None
Strict Transport Security (HSTS) 0 Passed Strict-Transport-Security header set to a minimum of six months (15768000).
Consider preloading: this requires adding the preload and includeSubDomains directives and setting max-age to at least 31536000 (1 year), and submitting your site to https://hstspreload.org/.
Subresource Integrity - Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin.
Add SRI for bonus points.
X-Content-Type-Options 0 Passed X-Content-Type-Options header set to nosniff.
None
X-Frame-Options 0* Passed X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive.
None
Cross Origin Resource Policy 0* Passed Cross Origin Resource Policy (CORP) implemented, prevents leaks into cross-origin contexts.
None
CSP analysis:
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src
Passed Blocking the execution of inline JavaScript provides CSP's strongest protection against cross-site scripting attacks. Moving JavaScript to external files can also help make your site more maintainable.
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src
Passed Blocking the use of JavaScript's eval() function can help prevent the execution of untrusted code.
Blocks execution of plug-ins, using object-src restrictions
Passed Blocking the execution of plug-ins via object-src 'none' or as inherited from default-src can prevent attackers from loading Flash or Java in the context of your page.
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
Passed Blocking inline styles can help prevent attackers from modifying the contents or appearance of your page. Moving styles to external stylesheets can also help make your site more maintainable.
Blocks loading of active content over HTTP or FTP
Passed Loading JavaScript or plugins can allow a man-in-the-middle to execute arbitrary code or your website. Restricting your policy and changing links to HTTPS can help prevent this.
Blocks loading of passive content over HTTP or FTP
Passed This site's Content Security Policy allows the loading of passive content such as images or videos over insecure protocols such as HTTP or FTP. Consider changing them to load them over HTTPS.
Clickjacking protection, using frame-ancestors
Passed The use of CSP's frame-ancestors directive offers fine-grained control over who can frame your site.
Deny by default, using default-src 'none'
Passed Denying by default using default-src 'none'can ensure that your Content Security Policy doesn't allow the loading of resources you didn't intend to allow.
Restricts use of the tag by using base-uri 'none', base-uri 'self', or specific origins.
Passed The tag can be used to trick your site into loading scripts from untrusted origins.
Restricts where contents may be submitted by using form-action 'none', form-action 'self', or specific URIs
Passed Malicious JavaScript or content injection could modify where sensitive form data is submitted to or create additional forms for data exfiltration.
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional)
'strict-dynamic' lets you use a JavaScript shim loader to load all your site's JavaScript dynamically, without having to track script-src origins.
Raw server headers:
Via 1.1 Caddy Date Thu, 18 Dec 2025 16:27:58 GMT Vary Accept-Encoding Pragma no-cache Server Kestrel Alt-Svc h3=":443"; ma=2592000 Expires -1 Connection close Content-Type text/html Cache-Control no-store, no-cache, no-store Referrer-Policy no-referrer X-Frame-Options DENY X-Xss-Protection 1; mode=block Transfer-Encoding chunked Permissions-Policy camera=(), microphone=(), geolocation=(), payment=(), usb=() X-Content-Type-Options nosniff Content-Security-Policy img-src 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'none'; default-src 'none'; font-src 'self'; frame-src 'none'; object-src 'none'; base-uri 'self'; script-src 'self'; style-src 'self' Strict-Transport-Security max-age=31536000; includeSubDomains Cross-Origin-Opener-Policy same-origin Cross-Origin-Embedder-Policy require-corp Cross-Origin-Resource-Policy same-origin