methodology / Security & Infrastructure / #4

Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options)

live factor #4 · Security & Infrastructure · scoring impl: implemented · weight 5.3%

What we measure

Modern browsers honor a small set of HTTP headers that protect your visitors from clickjacking, script injection, and content-sniffing attacks. Most modern sites set them. If you don't, browsers fall back to weaker defaults.

How to improve your score

Set the headers via your web server config or CDN. Goal headers: - `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` - `Content-Security-Policy: default-src 'self'` (tighten as needed) - `X-Frame-Options: SAMEORIGIN` - `Referrer-Policy: strict-origin-when-cross-origin` - `Permissions-Policy: ...` - `X-Content-Type-Options: nosniff`

Data source

Data source for this factor is not yet documented.

Scoring

Scoring formulas are versioned with the methodology. The current method (v1.1.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.

Version history

← back to methodology