Security

· 33 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.

SCORE

GRADE

FIX

REVIEW

PASS

INFO

Checks

20 PASS 7 REVIEW 6 FIX

Security Headers

Action

1 of 10 headers properly configured

FIX

1 of 10 headers properly configured

HSTS header is missing

Strict-Transport-Security forces browsers to use HTTPS, preventing downgrade attacks. Add the header with a max-age of at least 1 year.

Expected: max-age=31536000; includeSubDomains

X-Content-Type-Options header is missing

This header prevents MIME-type sniffing, which can lead to XSS attacks. Set it to 'nosniff'.

Expected: nosniff

X-Frame-Options header is missing

This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.

Expected: DENY

Referrer-Policy header is missing

Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.

Expected: strict-origin-when-cross-origin

Permissions-Policy header is missing

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()

Content-Security-Policy header is missing

CSP is the most important header for preventing XSS attacks. See the CSP section for detailed analysis.

Expected: default-src 'self'

Cross-Origin-Opener-Policy header is missing

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Cross-Origin-Embedder-Policy header is missing

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

X-Powered-By header is not present

Server header reveals version information

The Server header discloses the software version, aiding attackers in targeting known vulnerabilities. Remove the version number.

Got: awselb/2.0

Domain is not in the Chrome HSTS preload list (status: unknown)

Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).

Got: unknown

Strict-Transport-Security forces browsers to use HTTPS, preventing downgrade attacks. Add the header with a max-age of at least 1 year.

Expected: max-age=31536000; includeSubDomains

Why this matters

Without HSTS, a network attacker can downgrade the very first connection to HTTP and steal the user's session.

Learn more ▾

HSTS tells browsers 'never speak HTTP to this domain again.' Without it, a network attacker (public WiFi, malicious ISP, hostile DNS) intercepts the first HTTP attempt and serves a downgraded version of your site. One header, big surface reduction.

Source: RFC 6797 / OWASP

CSP is the most important header for preventing XSS attacks. See the CSP section for detailed analysis.

Expected: default-src 'self'

Why this matters

Without a CSP, a single XSS bug can exfiltrate everything your users type — including credentials.

Learn more ▾

Content-Security-Policy is the browser-enforced firewall against XSS. With a strict CSP, a script injection that would otherwise steal session cookies or rewrite the page is silently blocked. Without it, your only defense is hoping every input on every form is escaped correctly forever.

Source: OWASP / MDN

This header prevents MIME-type sniffing, which can lead to XSS attacks. Set it to 'nosniff'.

Expected: nosniff

Why this matters

MIME sniffing lets browsers run uploaded files as JavaScript, turning a file upload into an XSS.

Learn more ▾

Setting X-Content-Type-Options: nosniff tells browsers to trust your declared Content-Type instead of guessing. Without it, an attacker who uploads a polyglot file can sometimes get it executed as a script. One header, no downside.

Source: OWASP / MDN

This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.

Expected: DENY

Why this matters

Without frame protection, your site can be embedded in a hostile page and used for clickjacking.

Learn more ▾

Clickjacking overlays your site under a transparent malicious page so users click invisible buttons. Setting X-Frame-Options: DENY (or a modern frame-ancestors CSP directive) blocks the embedding entirely. There's almost never a legitimate reason to allow it.

Source: OWASP / MDN

Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.

Expected: strict-origin-when-cross-origin

Why this matters

Default browser behavior leaks full URLs (including query params and tokens) to every third-party resource — set a strict policy.

Learn more ▾

Without a Referrer-Policy header, browsers send the full referring URL with images, scripts, and fonts loaded from third-party origins. URLs containing tokens, user IDs, or session params end up in third-party logs. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter) to limit leakage.

Source: MDN / W3C

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()

Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more ▾

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more ▾

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more ▾

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

The Server header discloses the software version, aiding attackers in targeting known vulnerabilities. Remove the version number.

Why this matters

Server: nginx/1.18.0 tells attackers exactly which CVEs to test — strip the version string.

Learn more ▾

Server version disclosure helps attackers select exploits matching your stack. Configure your server to omit the version (nginx: `server_tokens off;`, Apache: `ServerTokens Prod`). Doesn't fix vulnerabilities but removes the easy reconnaissance step.

Source: OWASP

Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).

Why this matters

Not in the Chrome preload list — first-time visitors over plain HTTP can be downgraded by a network attacker before HSTS kicks in.

Learn more ▾

The HSTS header only protects users who have already visited the site (TOFU window). Adding your domain to the Chrome preload list closes that gap so HSTS is enforced from the very first connection. Requires a preload-ready header (max-age=31536000+, includeSubDomains, preload) then submission at hstspreload.org. Inclusion ships in the next Chrome release after acceptance.

Source: hstspreload.org

Content Security Policy

Action

No enforcing CSP policy found

FIX

No enforcing CSP policy found

No Content-Security-Policy header found

CSP is the most effective defense against XSS attacks. Add a Content-Security-Policy header to restrict resource loading.

Expected: default-src 'self'

CSP is the most effective defense against XSS attacks. Add a Content-Security-Policy header to restrict resource loading.

Expected: default-src 'self'

Why this matters

Without a CSP, a single XSS bug can exfiltrate everything users type — credentials, payment data, session tokens.

Learn more ▾

Content-Security-Policy is the browser-enforced firewall against XSS. With a strict CSP, a script injection that would otherwise steal session cookies is silently blocked. Without it, your only defense is hoping every input on every form is escaped correctly forever. Start in Report-Only mode, fix violations, then graduate to enforcing.

Source: OWASP / MDN

CSP Inline-Style Readiness

Action

130 inline style attribute(s) detected

FIX

130 inline style attribute(s) detected

Each `style=""` attribute forces `style-src 'unsafe-inline'` in any Content-Security-Policy, which negates most of CSP's XSS-mitigation value. 130 inline style(s) is high. Affected element types include: body, div, img, strong, svg. Move styles to a stylesheet; use CSS custom properties for runtime-dynamic values; or adopt a nonce/hash CSP policy. Most teams take the stylesheet path because it's also a maintainability win.

Subresource Integrity Adoption

Action

0% SRI adoption (1/292 third-party resources)

FIX

0% SRI adoption (1/292 third-party resources)

SRI adoption: 1/292 third-party resources protected (0%)

Of 292 third-party `<script>` / `<link rel=stylesheet>` resources, 1 (0%) declare a Subresource Integrity hash via the `integrity=` attribute. SRI binds the page to the exact bytes of the third-party resource: if the CDN is compromised, attacker-modified bytes won't match the declared hash and the browser refuses to execute the resource. Missing SRI on (first 5 examples): - https://www.googletagmanager.com/gtag/destination?id=DC-10609627&cx=c&gtm=4e6562 - https://www.googletagmanager.com/gtag/destination?id=AW-785398862&cx=c&gtm=4e6562 - https://www.google-analytics.com/analytics.js - https://www.googletagmanager.com/gtag/js?id=G-PHDYTV9D8V&cx=c&gtm=4e6562 - https://www.googletagmanager.com/gtm.js?id=GTM-M7C2CMW Fix: add `integrity="sha384-..."` and `crossorigin="anonymous"` attributes. Generators: srihash.org, or in-browser via `await crypto.subtle.digest('SHA-384', bytes)`. Cache-bust the resource URL when you change versions, since the integrity hash will mismatch with old cached bytes.

Got: 0% (1/292)

Subresource Integrity

Action

1 of 292 external resources have SRI

FIX

1 of 292 external resources have SRI

script from www.gstatic.com has SRI protection

External script from www.googletagmanager.com lacks integrity attribute