/ audit · 03
Security
Analysis of HTTP response headers: security, information disclosure, cache, detected technologies.
Scan
// Enter a URL to fetch its HTTP headers.
Checks
- HSTS — max-age, preload, subdomains
- CSP — Content Security Policy, unsafe-inline/eval detection
- X-Frame-Options — clickjacking protection
- X-Content-Type-Options — anti MIME sniffing
- Referrer-Policy — Referer policy
- Permissions-Policy — browser API restrictions
- COOP / COEP / CORP — cross-origin isolation
- Set-Cookie — Secure, HttpOnly, SameSite flags
- disclosure — Server, X-Powered-By, X-AspNet-Version
- deprecated — X-XSS-Protection, HPKP, Expect-CT, Feature-Policy
- TLS — version, cipher, signature, expiry, chain
- HTTPS / HSTS preload — HTTP→HTTPS redirect, HSTS preload eligibility
- CSP detail — directives, unsafe sources, nonce/hash/strict-dynamic
- Mixed content — HTTP resources on HTTPS page
- SRI — integrity on cross-origin scripts/styles
- iframes / target=_blank / forms — iframe sandbox, target=_blank, HTTPS forms
- Sensitive endpoints — /.env, /.git, /server-status, backups
- .well-known — security.txt, change-password
- CORS · OPTIONS — third-party Origin, allowed methods
- Recommendations — prioritized by impact