https://pypi.org
Security
· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.SCORE
90
GRADE
A
FIX
0
REVIEW
4
PASS
8
INFO
0
Checks
128 PASS 4 REVIEW
BSecurity Headers7 of 10 headers properly configuredREVIEW
Security Headers
7 of 10 headers properly configured
7 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured
Got: max-age=31536000; includeSubDomains; preload
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: deny
Warning::
Referrer-Policy has a weak value
Got: origin-when-cross-origin Expected: strict-origin-when-cross-origin
Info::
Permissions-Policy is set
Got: publickey-credentials-create=(self),publickey-credentials-get=(self),accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),hid=(),identity-credentials-get=(),idle-detection=(),local-fonts=(),magnetometer=(),microphone=(),midi=(),otp-credentials=(),payment=(),picture-in-picture=(),screen-wake-lock=(),serial=(),speaker-selection=(),storage-access=(),usb=(),web-share=(),xr-spatial-tracking=()
Info::
Content-Security-Policy is present
Got: base-uri 'self'; connect-src 'self' https://api.github.com/repos/ https://api.gi…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: gunicorn
Expected:
strict-origin-when-cross-originWhy this matters
Weak Referrer-Policy values leak full URLs (with query params, tokens, IDs) to every third-party resource on the page.
Learn more ▾ ▴
Default referrer behavior shares the full referring URL with images, scripts, and other resources from third-party origins. If your URLs contain tokens, session IDs, or user emails (in query strings or paths), every third-party tracker gets them. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter).
Source: MDN Referrer-Policy / W3C
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected:
same-originWhy this matters
COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected:
require-corpWhy this matters
COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
CSubresource IntegrityAction1 of 2 external resources have SRIREVIEW
Subresource Integrity
Action1 of 2 external resources have SRI
1 of 2 external resources have SRI
Warning::
External script from analytics.python.org lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://analytics.python.org/js/script.js
Info::
script from media.ethicalads.io has SRI protection
SRI Coverage 1 / 2 of external resources have integrity hashes
| Tag | Domain | Integrity |
|---|---|---|
| <script> | analytics.python.org | ✗ Missing |
| <script> | media.ethicalads.io | ✓ Protected |
BCORS ConfigurationNo CORS headersREVIEW
CORS Configuration
No CORS headers
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration ✓ Secure
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
Bsecurity.txtPublished with 1 contact(s)REVIEW
security.txt
Published with 1 contact(s)
security.txt
Contact: mailto:security@pypi.org
Expires: 2027-04-21T15:00:47.000Z
Policy: https://pypi.org/.well-known/security.txt
A+Content Security Policy8 of 10 CSP checks passedPASS
Content Security Policy
8 of 10 CSP checks passed
8 of 10 CSP checks passed
Info::
Raw CSP policy
Got: base-uri 'self'; connect-src 'self' https://api.github.com/repos/ https://api.github.com/search/issues https://gitlab.com/api/ https://analytics.python.org *.ethicalads.io https://api.pwnedpasswords.com https://cdn.jsdelivr.net/npm/mathjax@3.2.2/es5/sre/mathmaps/ https://2p66nmmycsj3.statuspage.io; default-src 'none'; font-src 'self'; form-action 'self' https://checkout.stripe.com https://billing.stripe.com; frame-ancestors 'none'; frame-src 'none'; img-src 'self' https://pypi-camo.freetls.fastly.net/ *.ethicalads.io ethicalads.blob.core.windows.net; script-src 'self' https://analytics.python.org *.ethicalads.io 'sha256-U3hKDidudIaxBDEzwGJApJgPEf2mWk6cfMWghrAa6i0=' https://cdn.jsdelivr.net/npm/mathjax@3.2.2/ 'sha256-1CldwzdEg2k1wTmf7s5RWVd7NMXI/7nxxjJM2C4DqII=' 'sha256-0POaN8stWYQxhzjKS+/eOfbbJ/u4YHO5ZagJvLpMypo='; style-src 'self' *.ethicalads.io 'sha256-2YHqZokjiizkHi1Zt+6ar0XJ0OeEy/egBnlm+MDMtrM=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-JLEjeN9e5dGsz5475WyRaoA4eQOdNPxDIeUhclnJDCE=' 'sha256-mQyxHEuwZJqpxCw3SLmc4YOySNKXunyu2Oiz1r3/wAE=' 'sha256-OCf+kv5Asiwp++8PIevKBYSgnNLNUZvxAp4a7wMLuKA=' 'sha256-h5LOiLhk6wiJrGsG5ItM0KimwzWQH/yAcmoJDJL//bY='
Info::
default-src directive is set
Got: default-src 'none'
Info::
No 'unsafe-inline' in script source
Info::
No 'unsafe-eval' in script source
Info::
No wildcard in script source
Info::
object-src falls back to default-src
Info::
base-uri is properly restricted
Got: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors 'none'
Info::
form-action directive is set
Got: form-action 'self' https://checkout.stripe.com https://billing.stripe.com
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected:
upgrade-insecure-requestsWhy this matters
Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.
Learn more ▾ ▴
Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.
Source: MDN CSP
Parsed Policy
base-uri 'self'
connect-src 'self'https://api.github.com/repos/https://api.github.com/search/issueshttps://gitlab.com/api/https://analytics.python.org*.ethicalads.iohttps://api.pwnedpasswords.comhttps://cdn.jsdelivr.net/npm/mathjax@3.2.2/es5/sre/mathmaps/https://2p66nmmycsj3.statuspage.io
default-src 'none'
font-src 'self'
form-action 'self'https://checkout.stripe.comhttps://billing.stripe.com
frame-ancestors 'none'
frame-src 'none'
img-src 'self'https://pypi-camo.freetls.fastly.net/*.ethicalads.ioethicalads.blob.core.windows.net
script-src 'self'https://analytics.python.org*.ethicalads.io'sha256-U3hKDidudIaxBDEzwGJApJgPEf2mWk6cfMWghrAa6i0='https://cdn.jsdelivr.net/npm/mathjax@3.2.2/'sha256-1CldwzdEg2k1wTmf7s5RWVd7NMXI/7nxxjJM2C4DqII=''sha256-0POaN8stWYQxhzjKS+/eOfbbJ/u4YHO5ZagJvLpMypo='
style-src 'self'*.ethicalads.io'sha256-2YHqZokjiizkHi1Zt+6ar0XJ0OeEy/egBnlm+MDMtrM=''sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=''sha256-JLEjeN9e5dGsz5475WyRaoA4eQOdNPxDIeUhclnJDCE=''sha256-mQyxHEuwZJqpxCw3SLmc4YOySNKXunyu2Oiz1r3/wAE=''sha256-OCf+kv5Asiwp++8PIevKBYSgnNLNUZvxAp4a7wMLuKA=''sha256-h5LOiLhk6wiJrGsG5ItM0KimwzWQH/yAcmoJDJL//bY='
A+TLS & CertificatesTLS 1.3, 7 checks passedPASS
TLS & Certificates
TLS 1.3, 7 checks passed
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_AES_128_GCM_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 282 days)
Got: 2027-01-29T04:33:07Z
Info::
Certificate chain has 2 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 4 domain(s)
Got: pypi.org, *.pypi.org, www.pypi.org, donate.pypi.org
Info::
Certificate is issued by a trusted CA
Got: CN=GlobalSign Atlas R3 DV TLS CA 2025 Q4,O=GlobalSign nv-sa,C=BE
HTTP/2 provides multiplexing and header compression for better performance.
Why this matters
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Connection
Protocol
TLS 1.3
Cipher Suite
TLS_AES_128_GCM_SHA256
HTTP Version
HTTP/1.1
Certificate Chain
Leaf Certificate
Subject CN=pypi.orgIssuer CN=GlobalSign Atlas R3 DV TLS CA 2025 Q4,O=GlobalSign nv-sa,C=BEValid 2025-12-28T04:33:08Z → 2027-01-29T04:33:07ZExpires in 282 days SANs pypi.org, *.pypi.org, www.pypi.org, donate.pypi.orgSignature SHA256-RSASerial 131b6322158da5785a38b0997c381f2
Intermediate (CA Certificate)
Subject CN=GlobalSign Atlas R3 DV TLS CA 2025 Q4,O=GlobalSign nv-sa,C=BEIssuer CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignValid 2025-07-16T03:06:35Z → 2027-07-16T00:00:00ZExpires in 450 days Signature SHA256-RSASerial 83da86ab0e31b19d8f03a5edd5bdbd66
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
JS Library Vulnerabilities
No known vulnerabilities
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
Information Leakage
No exposures
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✗ Exposed | Security Policy | Info |
AEmail SecurityDMARC: quarantinePASS
Email Security
DMARC: quarantine
DMARC: quarantine
Info::
DMARC policy is quarantine — good protection
DMARC
Policy quarantine — good protection Record v=DMARC1; p=quarantine; pct=100; rua=mailto:re+c026728f02d6@inbound.dmarcdigests.com; fo=1; adkim=s; aspf=r
A+Permissions-Policy33 directives, 0 missingPASS
Permissions-Policy
33 directives, 0 missing
33 directives, 0 missing
Info::
publickey-credentials-create=(self)
Info::
publickey-credentials-get=(self)
Info::
accelerometer=() — blocked for all origins
Info::
ambient-light-sensor=() — blocked for all origins
Info::
autoplay=() — blocked for all origins
Info::
battery=() — blocked for all origins
Info::
camera=() — blocked for all origins
Info::
display-capture=() — blocked for all origins
Info::
document-domain=() — blocked for all origins
Info::
encrypted-media=() — blocked for all origins
Info::
execution-while-not-rendered=() — blocked for all origins
Info::
execution-while-out-of-viewport=() — blocked for all origins
Info::
fullscreen=() — blocked for all origins
Info::
gamepad=() — blocked for all origins
Info::
geolocation=() — blocked for all origins
Info::
gyroscope=() — blocked for all origins
Info::
hid=() — blocked for all origins
Info::
identity-credentials-get=() — blocked for all origins
Info::
idle-detection=() — blocked for all origins
Info::
local-fonts=() — blocked for all origins
Info::
magnetometer=() — blocked for all origins
Info::
microphone=() — blocked for all origins
Info::
midi=() — blocked for all origins
Info::
otp-credentials=() — blocked for all origins
Info::
payment=() — blocked for all origins
Info::
picture-in-picture=() — blocked for all origins
Info::
screen-wake-lock=() — blocked for all origins
Info::
serial=() — blocked for all origins
Info::
speaker-selection=() — blocked for all origins
Info::
storage-access=() — blocked for all origins
Info::
usb=() — blocked for all origins
Info::
web-share=() — blocked for all origins
Info::
xr-spatial-tracking=() — blocked for all origins
Raw Header
publickey-credentials-create=(self) publickey-credentials-get=(self) accelerometer=() ambient-light-sensor=() autoplay=() battery=() camera=() display-capture=() document-domain=() encrypted-media=() execution-while-not-rendered=() execution-while-out-of-viewport=() fullscreen=() gamepad=() geolocation=() gyroscope=() hid=() identity-credentials-get=() idle-detection=() local-fonts=() magnetometer=() microphone=() midi=() otp-credentials=() payment=() picture-in-picture=() screen-wake-lock=() serial=() speaker-selection=() storage-access=() usb=() web-share=() xr-spatial-tracking=()
Feature Permissions
Blocked Self Only Unrestricted Not Set
publickey-credentials-create Self Only
publickey-credentials-get Self Only
accelerometer Blocked
ambient-light-sensor Blocked
autoplay Blocked
battery Blocked
camera Blocked
display-capture Blocked
document-domain Blocked
encrypted-media Blocked
execution-while-not-rendered Blocked
execution-while-out-of-viewport Blocked
fullscreen Blocked
gamepad Blocked
geolocation Blocked
gyroscope Blocked
hid Blocked
identity-credentials-get Blocked
idle-detection Blocked
local-fonts Blocked
magnetometer Blocked
microphone Blocked
midi Blocked
otp-credentials Blocked
payment Blocked
picture-in-picture Blocked
screen-wake-lock Blocked
serial Blocked
speaker-selection Blocked
storage-access Blocked
usb Blocked
web-share Blocked
xr-spatial-tracking Blocked
ATransport SecurityHTTP/3, HSTS, and TLS version analysisPASS
Transport Security
HTTP/3, HSTS, and TLS version analysis
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (includeSubDomains, preload)
Info::
HSTS preload enabled
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.