Most websites are missing critical security headers. Here is how to check.
The 10 Security Headers
- Strict-Transport-Security (HSTS) — force HTTPS
- Content-Security-Policy (CSP) — prevent XSS
- X-Content-Type-Options — prevent MIME sniffing
- X-Frame-Options — prevent clickjacking
- X-XSS-Protection — legacy XSS filter
- Referrer-Policy — control referrer info
- Permissions-Policy — restrict browser features
- Cross-Origin-Opener-Policy — isolate browsing context
- Cross-Origin-Resource-Policy — control resource loading
- Cross-Origin-Embedder-Policy — require CORS
Quick Check in Node.js
const response = await fetch(url, {method: "HEAD"});
const SECURITY_HEADERS = ["strict-transport-security", "content-security-policy", ...];
const present = SECURITY_HEADERS.filter(h => response.headers.has(h));
const score = Math.round(present.length / SECURITY_HEADERS.length * 100);
Real World Scores
- Stripe.com: 60% (6/10 headers)
- Google.com: 70% (7/10)
- GitHub.com: 80% (8/10)
I built an HTTP Headers Checker on Apify — search knotless_cadence http-headers.
Top comments (0)