Skip to content
https://nextjs.org

Security

· 11 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
82
GRADE
B
FIX
2
REVIEW
3
PASS
6
INFO
0
Checks
11
6 PASS 3 REVIEW 2 FIX
F
Content Security Policy
Action
3 of 10 CSP checks passed
FIX
3 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src 'self' nextjs.org *.nextjs.org vercel.com *.vercel.com *.vercel.sh vercel.live wss://*.vercel.com wss://*.nextjs.org localhost:*;script-src 'self' 'unsafe-eval' 'unsafe-inline' www.google.com www.google-analytics.com www.googleadservices.com www.gstatic.com *.youtube.com *.youtube-nocookie.com *.ytimg.com *.twimg.com cdn.ampproject.org www.googletagmanager.com *.googleapis.com *.fides-cdn.ethyca.com *.ethyca.com cdn.ethyca.com cdn.vercel-insights.com va.vercel-scripts.com app.cal.com *.cr-relay.com vercel.com *.vercel.com *.vercel.sh vercel.live nextjs.org *.nextjs.org localhost:* chrome-extension://*;child-src *.youtube.com *.youtube-nocookie.com *.stripe.com www.google.com td.doubleclick.net github.com calendly.com vercel.cal.com nextjs.org *.nextjs.org vercel.com *.vercel.com *.vercel.sh vercel.live wss://*.vercel.com wss://*.nextjs.org localhost:*;style-src 'self' 'unsafe-inline' *.googleapis.com nextjs.org *.nextjs.org vercel.com *.vercel.com *.vercel.sh vercel.live wss://*.vercel.com wss://*.nextjs.org localhost:*;img-src * blob: data:;media-src 'self' videos.ctfassets.net user-images.githubusercontent.com replicate.delivery *.public.blob.vercel-storage.com blob: data: nextjs.org *.nextjs.org vercel.com *.vercel.com *.vercel.sh vercel.live wss://*.vercel.com wss://*.nextjs.org localhost:*;connect-src 'self' data: vercel.com *.vercel.com *.vercel.sh vercel.live wss://*.vercel.com wss://*.nextjs.org nextjs.org *.nextjs.org localhost:* cdn.vercel-insights.com va.vercel-scripts.com cdp.vercel.com www.google-analytics.com www.googletagmanager.com *.googleapis.com *.cr-relay.com *.ethyca.com cdn.ethyca.com *.algolia.net *.algolianet.com risk.clearbit.com *.ingest.sentry.io *.ingest.us.sentry.io *.public.blob.vercel-storage.com;font-src 'self' *.nextjs.org *.vercel.com *.gstatic.com vercel.live *.vercel.sh;worker-src 'self' *.nextjs.org *.vercel.com blob:
Info::
default-src directive is set
Got: default-src 'self' nextjs.org *.nextjs.org vercel.com *.vercel.com *.vercel.sh vercel.live wss://*.vercel.com wss://*.nextjs.org localhost:*
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'self' 'unsafe-eval' 'unsafe-inline' www.google.com www.google-analytics.com www.googleadservices.com www.gstatic.com *.youtube.com *.youtube-nocookie.com *.ytimg.com *.twimg.com cdn.ampproject.org www.googletagmanager.com *.googleapis.com *.fides-cdn.ethyca.com *.ethyca.com cdn.ethyca.com cdn.vercel-insights.com va.vercel-scripts.com app.cal.com *.cr-relay.com vercel.com *.vercel.com *.vercel.sh vercel.live nextjs.org *.nextjs.org localhost:* chrome-extension://*
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'self' 'unsafe-eval' 'unsafe-inline' www.google.com www.google-analytics.com www.googleadservices.com www.gstatic.com *.youtube.com *.youtube-nocookie.com *.ytimg.com *.twimg.com cdn.ampproject.org www.googletagmanager.com *.googleapis.com *.fides-cdn.ethyca.com *.ethyca.com cdn.ethyca.com cdn.vercel-insights.com va.vercel-scripts.com app.cal.com *.cr-relay.com vercel.com *.vercel.com *.vercel.sh vercel.live nextjs.org *.nextjs.org localhost:* chrome-extension://*
Info::
No wildcard in script source
Info::
object-src falls back to default-src
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Warning::
frame-ancestors directive is missing
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected: frame-ancestors 'self'
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'
Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests
Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

Parsed Policy

default-src 'self'nextjs.org*.nextjs.orgvercel.com*.vercel.com*.vercel.shvercel.livewss://*.vercel.comwss://*.nextjs.orglocalhost:*
script-src 'self''unsafe-eval''unsafe-inline'www.google.comwww.google-analytics.comwww.googleadservices.comwww.gstatic.com*.youtube.com*.youtube-nocookie.com*.ytimg.com*.twimg.comcdn.ampproject.orgwww.googletagmanager.com*.googleapis.com*.fides-cdn.ethyca.com*.ethyca.comcdn.ethyca.comcdn.vercel-insights.comva.vercel-scripts.comapp.cal.com*.cr-relay.comvercel.com*.vercel.com*.vercel.shvercel.livenextjs.org*.nextjs.orglocalhost:*chrome-extension://*
child-src *.youtube.com*.youtube-nocookie.com*.stripe.comwww.google.comtd.doubleclick.netgithub.comcalendly.comvercel.cal.comnextjs.org*.nextjs.orgvercel.com*.vercel.com*.vercel.shvercel.livewss://*.vercel.comwss://*.nextjs.orglocalhost:*
style-src 'self''unsafe-inline'*.googleapis.comnextjs.org*.nextjs.orgvercel.com*.vercel.com*.vercel.shvercel.livewss://*.vercel.comwss://*.nextjs.orglocalhost:*
img-src *blob:data:
media-src 'self'videos.ctfassets.netuser-images.githubusercontent.comreplicate.delivery*.public.blob.vercel-storage.comblob:data:nextjs.org*.nextjs.orgvercel.com*.vercel.com*.vercel.shvercel.livewss://*.vercel.comwss://*.nextjs.orglocalhost:*
connect-src 'self'data:vercel.com*.vercel.com*.vercel.shvercel.livewss://*.vercel.comwss://*.nextjs.orgnextjs.org*.nextjs.orglocalhost:*cdn.vercel-insights.comva.vercel-scripts.comcdp.vercel.comwww.google-analytics.comwww.googletagmanager.com*.googleapis.com*.cr-relay.com*.ethyca.comcdn.ethyca.com*.algolia.net*.algolianet.comrisk.clearbit.com*.ingest.sentry.io*.ingest.us.sentry.io*.public.blob.vercel-storage.com
font-src 'self'*.nextjs.org*.vercel.com*.gstatic.comvercel.live*.vercel.sh
worker-src 'self'*.nextjs.org*.vercel.comblob:
D
security.txt
Action
No /.well-known/security.txt published
FIX

security.txt

No security.txt found at /.well-known/security.txt

C
Security Headers
Action
5 of 10 headers properly configured
REVIEW
5 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured
Got: max-age=31536000; includeSubDomains; preload
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: DENY
Warning::
Referrer-Policy has a weak value
Got: origin-when-cross-origin Expected: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: default-src 'self' nextjs.org *.nextjs.org vercel.com *.vercel.com *.vercel.sh v…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Warning::
X-Powered-By header reveals technology stack
This header discloses server technology (e.g. Express, PHP), helping attackers target known vulnerabilities. Remove it.
Got: Next.js
Info::
Server header is present without version info
Got: Vercel
Expected: strict-origin-when-cross-origin
Why this matters

Weak Referrer-Policy values leak full URLs (with query params, tokens, IDs) to every third-party resource on the page.

Learn more

Default referrer behavior shares the full referring URL with images, scripts, and other resources from third-party origins. If your URLs contain tokens, session IDs, or user emails (in query strings or paths), every third-party tracker gets them. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter).

Source: MDN Referrer-Policy / W3C

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

This header discloses server technology (e.g. Express, PHP), helping attackers target known vulnerabilities. Remove it.

Why this matters

X-Powered-By: PHP/7.4.3 advertises your stack to attackers — disable it.

Learn more

X-Powered-By and similar headers (X-AspNet-Version, X-Runtime) tell attackers which versions to target. Disable in your server/framework config: PHP `expose_php=Off`, ASP.NET `<httpRuntime enableVersionHeader="false">`, Express `app.disable('x-powered-by')`.

Source: OWASP

C
Permissions-Policy
Action
0 directives, 5 missing
REVIEW
0 directives, 5 missing
Info::
camera not restricted
Consider adding camera=() to block camera access from embedded content.
Info::
microphone not restricted
Consider adding microphone=() to block microphone access from embedded content.
Info::
geolocation not restricted
Consider adding geolocation=() to block geolocation access from embedded content.
Info::
payment not restricted
Consider adding payment=() to block payment access from embedded content.
Info::
usb not restricted
Consider adding usb=() to block usb access from embedded content.

Raw Header

fullscreen 'self'; camera 'none'

Feature Permissions

Blocked Self Only Unrestricted Not Set
camera Not Set
microphone Not Set
geolocation Not Set
payment Not Set
usb Not Set
B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
A+
TLS & Certificates
TLS 1.3, 7 checks passed
PASS
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_AES_128_GCM_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 76 days)
Got: 2026-06-20T04:13:12Z
Info::
Certificate chain has 2 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 2 domain(s)
Got: *.nextjs.org, nextjs.org
Info::
Certificate is issued by a trusted CA
Got: CN=R12,O=Let's Encrypt,C=US

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.3
Cipher Suite
TLS_AES_128_GCM_SHA256
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=*.nextjs.orgIssuer CN=R12,O=Let's Encrypt,C=USValid 2026-03-22T04:13:13Z → 2026-06-20T04:13:12ZExpires in 76 days SANs *.nextjs.org, nextjs.orgSignature SHA256-RSASerial 587c00188bc48f589feaff9c2c4972b9203
Intermediate (CA Certificate)
Subject CN=R12,O=Let's Encrypt,C=USIssuer CN=ISRG Root X1,O=Internet Security Research Group,C=USValid 2024-03-13T00:00:00Z → 2027-03-12T23:59:59ZExpires in 342 days Signature SHA256-RSASerial c212324b70a9b49171dc40f7e285263c
A+
Cookie Security
No cookies set — no cookie security risks
PASS
No cookies set — no cookie security risks
Info::
No cookies set — no cookie security risks

No cookies detected — no cookie security risks to report.

A+
Subresource Integrity
No external resources
PASS
No external resources
Info::
No external resources to protect
SRI Coverage No external resources — SRI not applicable
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
No security.txt found
Consider adding a security.txt at /.well-known/security.txt.
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt Not foundSecurity Policy
A
Email Security
DMARC: quarantine
PASS
DMARC: quarantine
Info::
DMARC policy is quarantine — good protection
DMARC
Policy quarantine — good protection Record v=DMARC1; p=quarantine; rua=mailto:df9481016e14030@rep.dmarcanalyzer.com; ruf=mailto:df9481016e14030@for.dmarcanalyzer.com; pct=100; fo=1;
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback