Workspace

Response Inspector

Fetch runs through a server-side proxy that reads only the response headers and the certificate, and refuses private, local and internal targets. You can also paste headers below instead.

D60 / 1007 header lines, 1 cookie, 5 of 7 checks passing
Content-Security-Policyfail

Content-Security-Policy is present but no default-src to catch resource types you did not name; script-src allows 'unsafe-inline'; no frame-ancestors to stop the page being framed.

script-src 'self' 'unsafe-inline'; style-src 'self'
Strict-Transport-Securitypass

max-age is 31536000 with includeSubDomains, meeting the baseline.

max-age=31536000; includeSubDomains
X-Content-Type-Optionspass

Set to nosniff, so the browser will not MIME-sniff the response.

nosniff
X-Frame-Optionspass

Set to SAMEORIGIN, so framing by other origins is blocked.

SAMEORIGIN
Referrer-Policypass

Set to strict-origin-when-cross-origin, which limits what the browser sends in the Referer header.

strict-origin-when-cross-origin
Permissions-Policypass

Present, so the listed browser features are restricted for this response.

camera=(), microphone=()
Set-Cookie (sessionid)fail

Cookie sessionid has no HttpOnly flag, so script can read it and an XSS can steal it.

sessionid=8f3b2a; Secure; SameSite=Lax; Path=/; Max-Age=3600
  1. 1

    Change Content-Security-Policy

    Add default-src to the policy, for example: Content-Security-Policy: default-src 'self'
  2. 2

    Change Content-Security-Policy

    Remove 'unsafe-inline' from script-src and use a nonce or hash, for example script-src 'nonce-<random>'
  3. 3

    Change Content-Security-Policy

    Add frame-ancestors 'none' to stop clickjacking through framing
  4. 4

    Change Set-Cookie (sessionid)

    Set-Cookie: sessionid=8f3b2a; Secure; SameSite=Lax; Path=/; Max-Age=3600; HttpOnly