Security Headers
HSTS, CSP, X-Frame, Referrer-Policy etc. scored.
Security headers for https://arzhost.com
Strict-Transport-Security
HSTS, force HTTPS
Content-Security-Policy
CSP, script and resource allowlist
X-Frame-Options
X-Frame-Options, clickjacking protection
X-Content-Type-Options
No MIME sniff
Referrer-Policy
Referrer-Policy
Permissions-Policy
Permissions-Policy
private-state-token-redemption=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"), private-state-token-issuance=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com")
Cross-Origin-Opener-Policy
COOP
Cross-Origin-Embedder-Policy
COEP
About Security Headers
This audit checks eight HTTP response headers that defend against common web attacks: Strict-Transport-Security (forces HTTPS), Content-Security-Policy (restricts what scripts and resources load), X-Frame-Options (blocks clickjacking), X-Content-Type-Options (stops MIME sniffing), Referrer-Policy, Permissions-Policy (controls browser APIs), Cross-Origin-Opener-Policy, and Cross-Origin-Embedder-Policy. The score is the percentage of headers present.
When to use it
Run this after deploying a new site to spot missing security headers before an attacker does. Use it during a security audit to produce a quick before-and-after comparison. Run it on competitor sites or comparison candidates to see how seriously they take application security, which often correlates with overall engineering quality.
How to read the results
A score of 75 or higher is good. HSTS and X-Content-Type-Options are the easiest to add and should always be present. Content-Security-Policy is the most effective at blocking cross-site scripting but the hardest to author correctly. X-Frame-Options is being replaced by frame-ancestors in CSP but is still widely respected. Headers showing values like default-src self indicate active configuration rather than copy-pasted defaults.
Frequently asked questions
What is the most important security header? ▾
Strict-Transport-Security (HSTS) is the most impactful for least effort. It forces browsers to use HTTPS for all future requests, preventing downgrade attacks. Add it with a max-age of at least 31536000 (one year) and include subdomains if your wildcard cert covers them.
Is X-XSS-Protection still useful? ▾
No. Modern browsers have removed the XSS auditor that header controlled. It is now a no-op and some recommendations explicitly disable it because the legacy auditor caused security issues. Rely on Content-Security-Policy instead.
My CSP keeps breaking the site. Where do I start? ▾
Use the Content-Security-Policy-Report-Only header first, which logs violations without blocking them. Collect reports for a week, then promote the working policy to enforcement. Tools like csp-evaluator help you draft the initial policy.
Do these headers replace input sanitisation and auth? ▾
No. They are defence in depth. The application still needs to escape output, validate input, and authenticate users. Security headers limit the blast radius if something else goes wrong, but they are not a substitute for secure coding.