Security Scanner
Complete web security analysis: DNS, SSL, headers, cookies and more
Frequently Asked Questions
What is HSTS (Strict-Transport-Security)?
HSTS forces browsers to access the site only via HTTPS, protecting against man-in-the-middle attacks. When the browser accesses the site for the first time, it receives this header and remembers to always use HTTPS on future visits. Recommended configuration: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Parameters: max-age sets the time in seconds (31536000 = 1 year), includeSubDomains applies to all subdomains, and preload adds to Chrome's HSTS preload list.
What is CSP (Content-Security-Policy)?
CSP defines where the site can load resources from (scripts, images, styles, etc), preventing XSS (Cross-Site Scripting) attacks. Even if an attacker injects malicious code into your site, CSP prevents execution by blocking unauthorized resources. Main directives: default-src (fallback for all others), script-src (where JavaScript can be loaded from), style-src (CSS), img-src (images) and connect-src (which URLs can make requests via fetch/XHR).
What is X-Content-Type-Options?
X-Content-Type-Options prevents browsers from 'guessing' the MIME type of files, preventing MIME sniffing attacks. Browsers try to detect the real type of a file even if the server sends wrong Content-Type, which can execute malicious JavaScript disguised as an image. Configuration: X-Content-Type-Options: nosniff. With this, the browser respects exactly the Content-Type sent by the server.
What is X-Frame-Options?
X-Frame-Options protects against clickjacking by controlling whether the site can be displayed inside iframes. A malicious site can load your site in an invisible iframe and trick the user into clicking sensitive buttons. Possible values: DENY (can never be displayed in iframe, most secure), SAMEORIGIN (only iframes from the same domain) and ALLOW-FROM (specific domains, obsolete). Recommendation: X-Frame-Options: DENY.
What is X-XSS-Protection?
X-XSS-Protection is a legacy header that enables XSS filter in old browsers (IE, old Chrome, Safari). Currently obsolete — modern browsers removed this feature. Recommended configuration: X-XSS-Protection: 0. Why disable? Bugs in XSS filter can create new vulnerabilities. Use CSP instead.
What is Referrer-Policy?
Referrer-Policy controls how much origin information is sent when navigating to other sites, protecting user privacy. Common values: no-referrer (never sends origin information), strict-origin-when-cross-origin (only origin on external navigation, recommended), same-origin (only sends to pages from same domain) and no-referrer-when-downgrade (don't send if HTTPS → HTTP). Example: Referrer-Policy: strict-origin-when-cross-origin.
What is Permissions-Policy?
Permissions-Policy controls which sensitive resources (camera, microphone, geolocation, etc) the site and iframes can use. Prevents malicious scripts or iframes from accessing sensitive resources without explicit permission. Controllable resources: camera, microphone, geolocation (GPS location), payment (Payment API) and usb (USB access). Example: Permissions-Policy: camera=(), microphone=(), geolocation=(self).
What are COOP, CORP and COEP?
COOP, CORP and COEP are cross-origin isolation headers that increase security by preventing timing-based attacks and memory sharing. COOP (Cross-Origin-Opener-Policy) isolates windows opened with window.open() from different origins, preventing JavaScript access. CORP (Cross-Origin-Resource-Policy) controls which sites can load resources from your server. COEP (Cross-Origin-Embedder-Policy) ensures all external resources have explicit CORS permission. Warning: these headers can break functionality that depends on cross-origin resources — test before applying in production.
Why does my site have a low score?
The score is calculated based on present security headers. Each missing header reduces the score. Implementation priority: 1) HSTS — Critical (forces HTTPS), 2) CSP — Critical (prevents XSS), 3) X-Frame-Options — High (prevents clickjacking), 4) X-Content-Type-Options — High (prevents MIME sniffing), 5) Referrer-Policy — Medium (privacy), 6) Permissions-Policy — Medium (resource control), 7) COOP/CORP/COEP — Low (advanced isolation). Start implementing the first 4 — this already gives a B+ grade in most cases.
How to implement these headers?
On Nginx, add to the site configuration file (/etc/nginx/sites-available/your-site) the security headers with the add_header directive and always: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Then run sudo nginx -t and sudo systemctl reload nginx. On Next.js, add to the next.config.js file using the async headers() function returning headers for the source '/:path*'.
What is a valid SSL certificate?
A valid SSL certificate ensures that communication between browser and server is encrypted and authentic. Requirements: issued by trusted certificate authority (Let's Encrypt, DigiCert, etc), not expired (renew 30 days before expiry), matches the site domain, and uses TLS 1.2 or higher protocol (TLS 1.0/1.1 are insecure). Free certificate: use Let's Encrypt with Certbot for automatic renewal.
Does my site redirect HTTP to HTTPS?
HTTP → HTTPS redirect is essential to ensure users always use secure connection, even when typing http://. On Nginx, configure a server block on port 80 with return 301 https://$server_name$request_uri. On Apache, use RewriteEngine On, RewriteCond %{HTTPS} off and RewriteRule to redirect all URLs to HTTPS.