Skip to content
https://github.com

Security

· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
80
GRADE
B
FIX
2
REVIEW
3
PASS
7
INFO
0
Checks
12
7 PASS 3 REVIEW 2 FIX
F
Subresource Integrity
Action
0 of 80 external resources have SRI
FIX
0 of 80 external resources have SRI
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/light-0c8222dcd7a4f9b7.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/light_high_contrast-51c0c6e0c085cc0f.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/dark-fc6eec18532c3ae0.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/dark_high_contrast-96d7b2bab5a6ae4e.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/primer-primitives-10bf9dd67e3d70bd.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/primer-0fcd9af82350aeda.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/global-0bd78641c0a1f3e0.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/github-c94ab8d1f22049a8.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/site-4884328cf1d6633f.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/landing-pages-8a6ddfb3febb09cd.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/home-1aab590db4b38e90.css
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/high-contrast-cookie-fed1d93364101384.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/wp-runtime-a07ba38b57ccffce.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/fetch-utilities-78a4114cfa572239.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/85924-e131bec5f99667e1.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/28839-734cb6d8a7150172.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/34646-edd5528648c197b1.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/environment-51c0968cf21c176d.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/runtime-helpers-3bb6f7d6b7a2f531.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/2966-f6796bfd155feae1.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/96232-69d46a31854353d4.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/41013-7a6deee6d6ff15eb.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/51210-3abb7238871a5b29.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/64247-7de91c52a8aca0eb.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/31721-17b28a26ab4c2e02.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/46740-6606b1026a237412.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/39130-334926c8365e947c.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/github-elements-459d4cd7a0f718d7.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/element-registry-4ca58e06683111bd.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/react-core-9efb35432aeb5ac0.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/react-lib-a4cf89fce9a1300a.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/7053-fe40037405b8998b.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/79039-2565b539a6ebc09b.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/61110-93cf7706e5dc8bfa.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/2887-47ac9a4b8862e6bf.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/26533-4df1172b25427069.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/66385-9fabdb6ffe6a94cf.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/93716-c0d708c7899c4298.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/60481-1a8127058c27e9af.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/46287-ba2ddd25bb86186f.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/2498-7a413c8209222158.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/61025-65c40451bea578e1.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/89627-fbbd31c43d83e10c.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/49029-32f138b26aa15ad8.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/99328-5e06da57c4622e21.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/behaviors-ea20a2c6238da250.js
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/react-core.27e21bcb26e3f432.module.css
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/4244-d5dcb589fae0ecbf.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/notifications-global-206312e9c9776c21.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/87903-17ef16991d8bcfc7.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/22445-1d247a8bf5b6a1d5.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/marketing-essentials-9a86288f791548e3.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/70641-5a6ec3de78151c22.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/46752-46c707717fcbe6a9.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/85897-345989e6728659d7.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/90018-d35ce3c32806d709.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/48761-4941fce410205fe2.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/18382-3d41da96c8d4b890.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/6572-01263ee51465ffb1.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/37826-b3ebde81e7762221.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/63050-6bfa87fb71a6dcbe.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/39250-d8a25e2693e66f05.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/49957-92efef4240df7e52.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/landing-pages-c18ba2fdd1c5392f.js
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/primer-react-css.79cea627ecb8f959.module.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/landing-pages.5e057cbd0c30db14.module.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/38963.f70dfea92b138b01.module.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/70168.374ce4e648336309.module.css
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/chunk-39118-a79af489cc7bc7cc.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/chunk-8957-59bd8ba0dbc0369b.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/chunk-34333-c6afb7b157287996.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/66353-b44748fd4ed05b2c.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/chunk-27502-10792c93f5c39568.js
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/primer-react-css.79cea627ecb8f959.module.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/keyboard-shortcuts-dialog.f581ff34f52b4167.module.css
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/global-banner-disable-c5d230875ac0a28a.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/86735-f3e914a229b8e278.js
Warning::
External script from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/sessions-2f8b9c6ac9ed412d.js
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/primer-react-css.79cea627ecb8f959.module.css
Warning::
External link from github.githubassets.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://github.githubassets.com/assets/marketing-navigation.5b4138cab2f44179.module.css
SRI Coverage 0 / 80 of external resources have integrity hashes
TagDomainIntegrity
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<link>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<script>github.githubassets.com Missing
<link>github.githubassets.com Missing
<link>github.githubassets.com Missing
D
Permissions-Policy
Action
No header set
FIX
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
B
Security Headers
6 of 10 headers properly configured
REVIEW
6 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured
Got: max-age=31536000; includeSubdomains; preload
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: deny
Warning::
Referrer-Policy has a weak value
Got: origin-when-cross-origin, strict-origin-when-cross-origin Expected: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.co…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: github.com
Expected: strict-origin-when-cross-origin
Why this matters

Weak Referrer-Policy values leak full URLs (with query params, tokens, IDs) to every third-party resource on the page.

Learn more

Default referrer behavior shares the full referring URL with images, scripts, and other resources from third-party origins. If your URLs contain tokens, session IDs, or user emails (in query strings or paths), every third-party tracker gets them. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter).

Source: MDN Referrer-Policy / W3C

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
B
security.txt
Published with 1 contact(s)
REVIEW

security.txt

Contact: https://hackerone.com/github
Expires: 2026-05-08T08:50:38z
Policy: https://github.com/.well-known/security.txt
A+
Content Security Policy
9 of 10 CSP checks passed
PASS
9 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net productionresultssa4.blob.core.windows.net productionresultssa5.blob.core.windows.net productionresultssa6.blob.core.windows.net productionresultssa7.blob.core.windows.net productionresultssa8.blob.core.windows.net productionresultssa9.blob.core.windows.net productionresultssa10.blob.core.windows.net productionresultssa11.blob.core.windows.net productionresultssa12.blob.core.windows.net productionresultssa13.blob.core.windows.net productionresultssa14.blob.core.windows.net productionresultssa15.blob.core.windows.net productionresultssa16.blob.core.windows.net productionresultssa17.blob.core.windows.net productionresultssa18.blob.core.windows.net productionresultssa19.blob.core.windows.net github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com edge.fullstory.com rs.fullstory.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com www.youtube-nocookie.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com user-images.githubusercontent.com private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com images.ctfassets.net/8aevphvgewt8/; manifest-src 'self'; media-src github.com user-images.githubusercontent.com secured-user-images.githubusercontent.com private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com assets.ctfassets.net/8aevphvgewt8/ videos.ctfassets.net/8aevphvgewt8/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
Info::
default-src directive is set
Got: default-src 'none'
Info::
No 'unsafe-inline' in script source
Info::
No 'unsafe-eval' in script source
Info::
No wildcard in script source
Info::
object-src falls back to default-src
Info::
base-uri is properly restricted
Got: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors 'none'
Info::
form-action directive is set
Got: form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com
Info::
upgrade-insecure-requests is enabled

Parsed Policy

default-src 'none'
base-uri 'self'
child-src github.githubassets.comgithub.com/assets-cdn/worker/github.com/assets/gist.github.com/assets-cdn/worker/
connect-src 'self'uploads.github.comwww.githubstatus.comcollector.github.comraw.githubusercontent.comapi.github.comgithub-cloud.s3.amazonaws.comgithub-production-repository-file-5c1aeb.s3.amazonaws.comgithub-production-upload-manifest-file-7fdce7.s3.amazonaws.comgithub-production-user-asset-6210df.s3.amazonaws.com*.rel.tunnels.api.visualstudio.comwss://*.rel.tunnels.api.visualstudio.comgithub.githubassets.comobjects-origin.githubusercontent.comcopilot-proxy.githubusercontent.comproxy.individual.githubcopilot.comproxy.business.githubcopilot.comproxy.enterprise.githubcopilot.com*.actions.githubusercontent.comwss://*.actions.githubusercontent.comproductionresultssa0.blob.core.windows.netproductionresultssa1.blob.core.windows.netproductionresultssa2.blob.core.windows.netproductionresultssa3.blob.core.windows.netproductionresultssa4.blob.core.windows.netproductionresultssa5.blob.core.windows.netproductionresultssa6.blob.core.windows.netproductionresultssa7.blob.core.windows.netproductionresultssa8.blob.core.windows.netproductionresultssa9.blob.core.windows.netproductionresultssa10.blob.core.windows.netproductionresultssa11.blob.core.windows.netproductionresultssa12.blob.core.windows.netproductionresultssa13.blob.core.windows.netproductionresultssa14.blob.core.windows.netproductionresultssa15.blob.core.windows.netproductionresultssa16.blob.core.windows.netproductionresultssa17.blob.core.windows.netproductionresultssa18.blob.core.windows.netproductionresultssa19.blob.core.windows.netgithub-production-repository-image-32fea6.s3.amazonaws.comgithub-production-release-asset-2e65be.s3.amazonaws.cominsights.github.comwss://alive.github.comwss://alive-staging.github.comapi.githubcopilot.comapi.individual.githubcopilot.comapi.business.githubcopilot.comapi.enterprise.githubcopilot.comedge.fullstory.comrs.fullstory.com
font-src github.githubassets.com
form-action 'self'github.comgist.github.comcopilot-workspace.githubnext.comobjects-origin.githubusercontent.com
frame-ancestors 'none'
frame-src viewscreen.githubusercontent.comnotebooks.githubusercontent.comwww.youtube-nocookie.com
img-src 'self'data:blob:github.githubassets.commedia.githubusercontent.comcamo.githubusercontent.comidenticons.github.comavatars.githubusercontent.comprivate-avatars.githubusercontent.comgithub-cloud.s3.amazonaws.comobjects.githubusercontent.comrelease-assets.githubusercontent.comsecured-user-images.githubusercontent.comuser-images.githubusercontent.comprivate-user-images.githubusercontent.comopengraph.githubassets.commarketplace-screenshots.githubusercontent.comcopilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/github-production-user-asset-6210df.s3.amazonaws.comcustomer-stories-feed.github.comspotlights-feed.github.comobjects-origin.githubusercontent.com*.githubusercontent.comimages.ctfassets.net/8aevphvgewt8/
manifest-src 'self'
media-src github.comuser-images.githubusercontent.comsecured-user-images.githubusercontent.comprivate-user-images.githubusercontent.comgithub-production-user-asset-6210df.s3.amazonaws.comgist.github.comgithub.githubassets.comassets.ctfassets.net/8aevphvgewt8/videos.ctfassets.net/8aevphvgewt8/
script-src github.githubassets.com
style-src 'unsafe-inline'github.githubassets.com
upgrade-insecure-requests
worker-src github.githubassets.comgithub.com/assets-cdn/worker/github.com/assets/gist.github.com/assets-cdn/worker/
A+
TLS & Certificates
TLS 1.3, 7 checks passed
PASS
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_AES_128_GCM_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 56 days)
Got: 2026-06-03T23:59:59Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: ECDSA-SHA256
Info::
Certificate covers 2 domain(s)
Got: github.com, www.github.com
Info::
Certificate is issued by a trusted CA
Got: CN=Sectigo Public Server Authentication CA DV E36,O=Sectigo Limited,C=GB

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.3
Cipher Suite
TLS_AES_128_GCM_SHA256
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=github.comIssuer CN=Sectigo Public Server Authentication CA DV E36,O=Sectigo Limited,C=GBValid 2026-03-06T00:00:00Z → 2026-06-03T23:59:59ZExpires in 56 days SANs github.com, www.github.comSignature ECDSA-SHA256Serial 1dc289c1eadafb04e9d1cf53d5d72253
Intermediate (CA Certificate)
Subject CN=Sectigo Public Server Authentication CA DV E36,O=Sectigo Limited,C=GBIssuer CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GBValid 2021-03-22T00:00:00Z → 2036-03-21T23:59:59ZExpires in 3635 days Signature ECDSA-SHA384Serial 36e059ed888dd57aedd570b6727f9bda
Intermediate (CA Certificate)
Subject CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GBIssuer CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USValid 2021-03-22T00:00:00Z → 2038-01-18T23:59:59ZExpires in 4303 days Signature ECDSA-SHA384Serial 1a9eafec6de8e19b5c193141b68d90dd
A+
Cookie Security
3 cookies analyzed, 8 checks passed
PASS
3 cookies analyzed, 8 checks passed
Info::
Cookie '_gh_sess' has the Secure flag
Info::
Cookie '_gh_sess' has the HttpOnly flag
Info::
Cookie '_gh_sess' has SameSite=Lax
Info::
Cookie '_octo' has the Secure flag
Warning::
Cookie '_octo' is missing the HttpOnly flag
Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.
Info::
Cookie '_octo' has SameSite=Lax
Info::
Cookie 'logged_in' has the Secure flag
Info::
Cookie 'logged_in' has the HttpOnly flag
Info::
Cookie 'logged_in' has SameSite=Lax
3 cookies analyzed 1 warnings
NameSecureHttpOnlySameSiteSizeIssues
_gh_sessLax352 B
_octoLax31 B1
logged_inLax11 B
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt ExposedSecurity PolicyInfo
A
Email Security
DMARC: quarantine
PASS
DMARC: quarantine
Info::
DMARC policy is quarantine — good protection
DMARC
Policy quarantine — good protection Record v=DMARC1; p=quarantine; sp=reject; pct=100; rua=mailto:dmarc@github.com; ruf=mailto:dmarc@github.com; fo=1
A
Transport Security
HTTP/3, HSTS, and TLS version analysis
PASS
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (includeSubDomains, preload)
Info::
HSTS preload enabled
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback