Why is CSP with unsafe-inline weak?

unsafe-inline allows execution of inline JavaScript, so if XSS injection succeeds, CSP provides no protection. Correct fix: per-script nonces or hashes. Best practice: script-src 'nonce-{random}' 'strict-dynamic'.

Security Headers

∞ Unlimited

Check HTTP security headers of a URL — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP. Score-based report with recommendations.

What are HTTP Security Headers?

HTTP security headers are special headers a web server sends with every response, instructing the browser to follow security rules — e.g. "never allow this site in an iframe", "always use HTTPS", "do not execute JavaScript from unknown sources". Properly configured, they form the first line of defense against XSS, clickjacking, MIME sniffing, downgrade attacks, and CSRF.

Which headers does the tool check?

Critical (must have)

HSTS (Strict-Transport-Security): forces HTTPS and prevents downgrade attacks. CSP (Content-Security-Policy): top XSS defense — declares which sources of scripts, styles, images are allowed. X-Frame-Options: prevents clickjacking via iframe embedding.

Important (recommended)

X-Content-Type-Options: nosniff: prevents the browser from guessing MIME types. Referrer-Policy: controls how much information the browser sends in the Referer header on outbound links.

Modern (best practice)

Permissions-Policy: controls which browser features (camera, microphone, geolocation, payment) the page can use. COOP/COEP/CORP: cross-origin isolation that mitigates Spectre-class attacks.

How is the score calculated?

The tool gives a weighted score from 0–100%: critical headers 50%, important 30%, modern 20%. The score maps to a letter grade A–F. Headers that are present but with a weak value (e.g. HSTS with max-age < 6 months, or CSP with unsafe-inline) count as half credit.

How do you add the headers?

For Apache, in .htaccess or VirtualHost: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains". For Nginx, in the server block: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;. Cloudflare/CDN providers usually expose a UI that adds them automatically. For Laravel/Express/Rails apps, a middleware that sets them on every response is the cleanest approach.

FAQ

Is it safe to enable HSTS for 1 year right away?

No. Start with a small max-age (e.g. 300 = 5 minutes) to confirm your entire site is correctly served over HTTPS. Once you verify there are no mixed-content issues, increase to 1 year and add includeSubDomains. If you make a mistake with HSTS active, browsers will enforce it for the entire period.

Why is CSP often "weak" when it has `unsafe-inline`?

'unsafe-inline' allows execution of any inline JavaScript on the page — meaning if an attacker manages to inject <script>...</script> (XSS), CSP won't stop them. The right fix is per-script nonces or hashes. Modern best practice: script-src 'nonce-{random}' 'strict-dynamic'.

What's the difference between X-Frame-Options and CSP frame-ancestors?

Same purpose (clickjacking prevention), but X-Frame-Options is older and accepts only DENY/SAMEORIGIN. CSP frame-ancestors accepts multiple sources and is more flexible. Most servers send both for backward compatibility.

Will COEP `require-corp` break third-party images?

Yes, if those images don't send a Cross-Origin-Resource-Policy header. Alternative: credentialless — allows cross-origin loading without credentials, and doesn't need cooperation from third-party servers. More compatible for sites using external images (avatars, CDNs).

How do I hide the Server / X-Powered-By header?

On Apache: ServerTokens Prod + Header always unset X-Powered-By. On Nginx: server_tokens off;. In PHP: expose_php = Off in php.ini. Doesn't materially increase security, but makes it harder for mass scanners that target specific versions with known CVEs.