Security
HTTP security response headers validation
How it Works
The security pillar fetches your URL and checks the HTTP response headers for essential security headers. Missing headers are reported as violations.
Headers Checked
| Header | Severity | Purpose |
|---|---|---|
| Content-Security-Policy | serious | Prevents XSS and code injection attacks |
| Strict-Transport-Security | serious | Enforces HTTPS connections |
| X-Frame-Options | moderate | Prevents clickjacking attacks |
| Referrer-Policy | moderate | Controls referrer information leakage |
| Permissions-Policy | moderate | Restricts browser features (camera, mic, geolocation) |
Configuration
json
{ "security": { "minScore": 80, "ignoreSeverities": ["moderate"] }}The security pillar uses Node.js fetch() directly, not Puppeteer. It follows redirects automatically.