Skip to content

Security Analysis

Security analysis evaluates the security of your website primarily by analyzing HTTP headers and TLS/SSL configurations. It identifies potential vulnerabilities and provides recommendations for enhancing site security.

The analyzer provides a detailed table showing security header status across your website:

Security
--------
Header | OK | Notice | Warning | Critical | Recommendation
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Strict-Transport-Security | 45 | 0 | 0 | 3 | Strict-Transport-Security header is not set. It enforces secure connections and protects against MITM attacks.
X-XSS-Protection | 45 | 0 | 0 | 3 | X-XSS-Protection header is not set. It enables browser's built-in defenses against XSS attacks.
X-Frame-Options | 0 | 45 | 3 | 0 | X-Frame-Options header is set to SAMEORIGIN which allows this origin to embed the resource in a frame.
X-Content-Type-Options | 45 | 0 | 3 | 0 | X-Content-Type-Options header is not set. It stops MIME type sniffing and mitigates content type attacks.
Referrer-Policy | 45 | 0 | 3 | 0 | Referrer-Policy header is not set. It controls referrer header sharing and enhances privacy and security.
Content-Security-Policy | 48 | 0 | 0 | 0 |
Feature-Policy | 48 | 0 | 0 | 0 |
Permissions-Policy | 48 | 0 | 0 | 0 |
Server | 48 | 0 | 0 | 0 | Server header is not set or empty. This is recommended.

The table provides:

  • Status counts for each security header (OK, Notice, Warning, Critical)
  • Specific recommendations for addressing identified issues
  • Clear indication of which headers need immediate attention

In terms of checking HTTP headers, the headers below are analyzed - whether they exist/do not exist and whether they have appropriate safe values. Checks are for essential security headers that protect against XSS, clickjacking, and other attacks. Missing or misconfigured headers are flagged with recommendations for improvement.

  • Access-Control-Allow-Origin
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Referrer-Policy
  • Content-Security-Policy
  • Feature-Policy
  • Permissions-Policy
  • Server
  • X-Powered-By
  • Set-Cookie

The Content-Security-Policy header is not only checked for presence — it is parsed and evaluated per directive. Individual directives (for example script-src, style-src, default-src, object-src, frame-ancestors, base-uri) are inspected for unsafe values such as unsafe-inline, unsafe-eval, overly broad wildcards (*), or insecure http: sources, so a policy that exists but is effectively permissive is still flagged.

Cross-origin isolation headers (COOP/COEP/CORP)

Section titled “Cross-origin isolation headers (COOP/COEP/CORP)”

The analyzer also evaluates the cross-origin isolation headers that protect against cross-origin information leaks and side-channel attacks:

  • Cross-Origin-Opener-Policy (COOP)
  • Cross-Origin-Embedder-Policy (COEP)
  • Cross-Origin-Resource-Policy (CORP)

Every Set-Cookie header on a response is evaluated (not just the first one). Each cookie is checked for the HttpOnly, Secure, and SameSite attributes to prevent common web vulnerabilities such as session theft and CSRF.

Broader mixed-content detection looks for insecure http:// resources referenced from pages served over https:// — including forms posted over http://, <iframe> content loaded over http://, and other insecure sub-resources that browsers may block or downgrade.

SSL/TLS configuration is now analyzed by a pure-Rust implementation (no external OpenSSL/s_client dependency). It reviews supported protocols, certificate validity and the certificate chain, recommending webserver updates if outdated or insecure protocols are supported. See the dedicated SSL/TLS Analysis page for the full breakdown.

All of the above feeds the Security category of the overall Website Quality Score, which combines SSL/TLS, security headers and unsafe-protocol findings into a single 0.0–10.0 score (and can be enforced in CI via --ci-min-security).

This analysis helps in securing your website by identifying critical areas where security configurations can be improved.


If you have ideas how to improve security analysis based on the data available to the crawler, don’t be afraid to send a feature request (to desktop application, or to command-line interface) with a suggestion for improvement. We are happy to consider and implement it if it will benefit more users.