What is it?
HTTP security headers are like a set of security instructions for web browsers. They tell browsers how to handle your website's content, what resources to trust, and how to protect your users from common attacks.
Why It Matters
Without proper security headers, your website is vulnerable to:
Clickjacking attacks where attackers embed your site maliciously
Content type confusion leading to security bypasses
Information leakage through referrer headers
Cross-site scripting attacks in legacy browsers
Unauthorized framing of your content
Security Checks
We monitor these aspects of your security headers:
Are frame protection headers properly configured?
The domain lacks both X-Frame-Options and CSP frame-ancestors directives. This leaves the site vulnerable to clickjacking attacks where it could be embedded in malicious frames.
Is modern frame protection in use?
The domain relies solely on the older X-Frame-Options header without CSP frame-ancestors. While this provides basic protection, it lacks the more flexible controls of modern Content Security Policy.
Are frame protection headers consistent?
The domain has mismatched values between X-Frame-Options and CSP frame-ancestors directives. This inconsistency may lead to unreliable frame protection across different browsers.
Are frame protection headers uniquely defined?
The domain sends multiple X-Frame-Options headers. This creates undefined behavior as browsers may interpret the conflicting headers differently.
Is MIME type sniffing prevention enabled?
The domain doesn't send the X-Content-Type-Options header. This allows browsers to interpret file types differently than intended, potentially enabling security bypasses.
Is the X-Content-Type-Options value correct?
The domain uses an invalid value for X-Content-Type-Options instead of 'nosniff'. This prevents the header from properly protecting against MIME type confusion attacks.
Is XSS protection modernly configured?
The domain lacks a Content Security Policy script-src directive, relying only on X-XSS-Protection. This older protection mechanism provides limited defense against cross-site scripting attacks.
Are referrer controls properly configured?
The domain lacks a Referrer-Policy header. This may lead to unintended information leakage through referrer headers when users navigate away from the site.
Are referrer controls using current standards?
The domain uses the deprecated CSP referrer directive instead of the current Referrer-Policy header. Modern browsers may ignore this outdated configuration.
Are referrer control headers consistent?
The domain has mismatched values between Referrer-Policy header and CSP referrer directive. This inconsistency creates unpredictable referrer behavior across browsers.
Is the referrer policy securely configured?
The domain uses an unsafe referrer policy ('unsafe-url') or lacks a specific policy. This may leak sensitive information in referrer headers when users follow links to other sites.
Is modern XSS protection in use?
The domain relies solely on the older X-XSS-Protection header without Content Security Policy. While this provides basic protection, it lacks the comprehensive controls offered by modern CSP directives.
Are XSS protection headers consistent?
The domain has mismatched settings between X-XSS-Protection header and Content Security Policy. This inconsistency may lead to unreliable XSS protection across different browsers.
Are XSS protection headers uniquely defined?
The domain sends multiple X-XSS-Protection headers. This creates undefined behavior as browsers may interpret the conflicting protection settings differently.
Industry Standards
Security headers are recommended by:
OWASP Security Standards
Mozilla Web Security Guidelines
Google Web Security Requirements
NIST Web Security Guidelines