Skip to content
https://gitlab.com

Security

· 11 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
80
GRADE
B
FIX
1
REVIEW
4
PASS
6
INFO
0
Checks
11
6 PASS 4 REVIEW 1 FIX
F
Subresource Integrity
Action
0 of 8 external resources have SRI
FIX
0 of 8 external resources have SRI
Warning::
External script from client-registry.mutinycdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://client-registry.mutinycdn.com/personalize/client/c18972324098ea25.js
Warning::
External script from cdn.cookielaw.org lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.cookielaw.org/consent/7f944245-c5cd-4eed-a90e-dd955adfdd08/OtAutoBlock.js
Warning::
External script from cdn.cookielaw.org lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.cookielaw.org/scripttemplates/otSDKStub.js
Warning::
External script from geolocation.onetrust.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location/geofeed
Warning::
External script from cdn.optimizely.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.optimizely.com/js/5113954737848320.js
Warning::
External script from cdn.bizible.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.bizible.com/scripts/bizible.js
Warning::
External script from munchkin.marketo.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://munchkin.marketo.net/munchkin.js
Warning::
External script from cdn.cookielaw.org lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.cookielaw.org/scripttemplates/202512.1.0/otBannerSdk.js
SRI Coverage 0 / 8 of external resources have integrity hashes
TagDomainIntegrity
<script>client-registry.mutinycdn.com Missing
<script>cdn.cookielaw.org Missing
<script>cdn.cookielaw.org Missing
<script>geolocation.onetrust.com Missing
<script>cdn.optimizely.com Missing
<script>cdn.bizible.com Missing
<script>munchkin.marketo.net Missing
<script>cdn.cookielaw.org Missing
B
Security Headers
7 of 10 headers properly configured
REVIEW
7 of 10 headers properly configured
Warning::
HSTS is missing includeSubDomains
Without includeSubDomains, subdomains can still be accessed over HTTP.
Got: max-age=31536000 Expected: max-age=31536000; includeSubDomains
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Info::
Referrer-Policy is properly configured
Got: strict-origin-when-cross-origin
Info::
Permissions-Policy is set
Got: interest-cohort=()
Info::
Content-Security-Policy is present
Got: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptc…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: cloudflare

Without includeSubDomains, subdomains can still be accessed over HTTP.

Expected: max-age=31536000; includeSubDomains
Why this matters

Without includeSubDomains, a forgotten dev subdomain over HTTP can set malicious cookies that ride to the apex.

Learn more

HSTS without includeSubDomains protects only the exact domain. Cookies set on a non-HSTS subdomain can ride to the apex via cookie-scope attacks. The fix is one directive append. Verify all subdomains support HTTPS first — adding includeSubDomains to a domain with HTTP-only subdomains breaks them.

Source: RFC 6797

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

C
Content Security Policy
Action
6 of 10 CSP checks passed
REVIEW
6 of 10 CSP checks passed
Info::
Raw CSP policy
Got: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.googletagmanager.com/ns.html https://*.zuora.com/apps/PublicHostedPageLite.do https://gitlab.com/admin/ https://gitlab.com/assets/ https://gitlab.com/-/speedscope/index.html https://gitlab.com/-/sandbox/ 'self' blob: data: https://embed.figma.com https://www.figma.com https://www.youtube.com; connect-src 'self' https://gitlab.com wss://gitlab.com https://sentry.gitlab.net https://new-sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net https://sourcegraph.com https://collector.prd-278964.gl-product-analytics.com https://analytics.gitlab.com snowplowprd.trx.gitlab.net; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.googletagmanager.com/ns.html https://*.zuora.com/apps/PublicHostedPageLite.do https://gitlab.com/admin/ https://gitlab.com/assets/ https://gitlab.com/-/speedscope/index.html https://gitlab.com/-/sandbox/ https://embed.figma.com https://www.figma.com https://www.youtube.com; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; report-uri https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_environment=gprd; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/ https://apis.google.com https://*.zuora.com/apps/PublicHostedPageLite.do 'nonce-QpNfNWcHUlimmBDl4nZmwQ=='; style-src 'self' 'unsafe-inline'; worker-src 'self' https://gitlab.com/assets/ blob: data:
Info::
default-src directive is set
Got: default-src 'self'
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/ https://apis.google.com https://*.zuora.com/apps/PublicHostedPageLite.do 'nonce-QpNfNWcHUlimmBDl4nZmwQ=='
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/ https://apis.google.com https://*.zuora.com/apps/PublicHostedPageLite.do 'nonce-QpNfNWcHUlimmBDl4nZmwQ=='
Info::
No wildcard in script source
Info::
object-src is set to 'none'
Got: object-src 'none'
Info::
base-uri is properly restricted
Got: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors 'self'
Info::
form-action directive is set
Got: form-action 'self' https: http:
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests
Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

Parsed Policy

base-uri 'self'
child-src https://www.google.com/recaptcha/https://www.recaptcha.net/https://www.googletagmanager.com/ns.htmlhttps://*.zuora.com/apps/PublicHostedPageLite.dohttps://gitlab.com/admin/https://gitlab.com/assets/https://gitlab.com/-/speedscope/index.htmlhttps://gitlab.com/-/sandbox/'self'blob:data:https://embed.figma.comhttps://www.figma.comhttps://www.youtube.com
connect-src 'self'https://gitlab.comwss://gitlab.comhttps://sentry.gitlab.nethttps://new-sentry.gitlab.nethttps://customers.gitlab.comhttps://snowplow.trx.gitlab.nethttps://sourcegraph.comhttps://collector.prd-278964.gl-product-analytics.comhttps://analytics.gitlab.comsnowplowprd.trx.gitlab.net
default-src 'self'
font-src 'self'
form-action 'self'https:http:
frame-ancestors 'self'
frame-src https://www.google.com/recaptcha/https://www.recaptcha.net/https://www.googletagmanager.com/ns.htmlhttps://*.zuora.com/apps/PublicHostedPageLite.dohttps://gitlab.com/admin/https://gitlab.com/assets/https://gitlab.com/-/speedscope/index.htmlhttps://gitlab.com/-/sandbox/https://embed.figma.comhttps://www.figma.comhttps://www.youtube.com
img-src 'self'data:blob:http:https:
manifest-src 'self'
media-src 'self'data:blob:http:https:
object-src 'none'
report-uri https://new-sentry.gitlab.net/api/4/security/?sentry_key=f5573e26de8f4293b285e556c35dfd6e&sentry_environment=gprd
script-src 'strict-dynamic''self''unsafe-inline''unsafe-eval'https://www.google.com/recaptcha/https://www.gstatic.com/recaptcha/https://www.recaptcha.net/https://apis.google.comhttps://*.zuora.com/apps/PublicHostedPageLite.do'nonce-QpNfNWcHUlimmBDl4nZmwQ=='
style-src 'self''unsafe-inline'
worker-src 'self'https://gitlab.com/assets/blob:data:
C
Permissions-Policy
Action
1 directives, 5 missing
REVIEW
1 directives, 5 missing
Info::
interest-cohort=() — blocked for all origins
Info::
camera not restricted
Consider adding camera=() to block camera access from embedded content.
Info::
microphone not restricted
Consider adding microphone=() to block microphone access from embedded content.
Info::
geolocation not restricted
Consider adding geolocation=() to block geolocation access from embedded content.
Info::
payment not restricted
Consider adding payment=() to block payment access from embedded content.
Info::
usb not restricted
Consider adding usb=() to block usb access from embedded content.

Raw Header

interest-cohort=()

Feature Permissions

Blocked Self Only Unrestricted Not Set
interest-cohort Blocked
camera Not Set
microphone Not Set
geolocation Not Set
payment Not Set
usb Not Set
B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
A+
TLS & Certificates
TLS 1.3, 7 checks passed
PASS
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_CHACHA20_POLY1305_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 37 days)
Got: 2026-05-11T23:59:59Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 6 domain(s)
Got: gitlab.com, auth.gitlab.com, customers.gitlab.com, email.customers.gitlab.com, gprd.gitlab.com, www.gitlab.com
Info::
Certificate is issued by a trusted CA
Got: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.3
Cipher Suite
TLS_CHACHA20_POLY1305_SHA256
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=gitlab.comIssuer CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GBValid 2025-04-12T00:00:00Z → 2026-05-11T23:59:59ZExpires in 37 days SANs gitlab.com, auth.gitlab.com, customers.gitlab.com, email.customers.gitlab.com, gprd.gitlab.com, www.gitlab.comSignature SHA256-RSASerial d8837dd34af806350ea1d10efb090de2
Intermediate (CA Certificate)
Subject CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GBIssuer CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USValid 2018-11-02T00:00:00Z → 2030-12-31T23:59:59ZExpires in 1732 days Signature SHA384-RSASerial 7d5b5126b476ba11db74160bbc530da7
Intermediate (CA Certificate)
Subject CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USIssuer CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USValid 2010-02-01T00:00:00Z → 2038-01-18T23:59:59ZExpires in 4307 days Signature SHA384-RSASerial 1fd6d30fca3ca51a81bbc640e35032d
A+
Cookie Security
1 cookies analyzed, 3 checks passed
PASS
1 cookies analyzed, 3 checks passed
Info::
Cookie '_cfuvid' has the Secure flag
Info::
Cookie '_cfuvid' has the HttpOnly flag
Info::
Cookie '_cfuvid' has SameSite=None
1 cookies analyzed
NameSecureHttpOnlySameSiteSizeIssues
_cfuvidNone82 B
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt ExposedSecurity PolicyInfo
A+
Email Security
DMARC: reject
PASS
DMARC: reject
Info::
DMARC policy is reject — strongest protection
DMARC
Policy reject — strongest protection Record v=DMARC1; p=reject; pct=100
A+
security.txt
Signed, 2 contact(s) — RFC 9116 compliant
PASS

security.txt

Contact: https://hackerone.com/gitlab/, https://about.gitlab.com/security/disclosure/
Expires: 2027-01-31T05:00:00.000Z
Policy: https://gitlab.com/.well-known/security.txt
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback