Fetch runs through a server-side proxy that reads only the response headers and the certificate, and refuses private, local and internal targets. You can also paste headers below instead.
Per-header breakdown
Content-Security-Policy is present but no default-src to catch resource types you did not name; script-src allows 'unsafe-inline'; no frame-ancestors to stop the page being framed.
max-age is 31536000 with includeSubDomains, meeting the baseline.
Set to nosniff, so the browser will not MIME-sniff the response.
Set to SAMEORIGIN, so framing by other origins is blocked.
Set to strict-origin-when-cross-origin, which limits what the browser sends in the Referer header.
Present, so the listed browser features are restricted for this response.
Cookie sessionid has no HttpOnly flag, so script can read it and an XSS can steal it.
Fixes, worst first
- 1
Change Content-Security-Policy
Add default-src to the policy, for example: Content-Security-Policy: default-src 'self' - 2
Change Content-Security-Policy
Remove 'unsafe-inline' from script-src and use a nonce or hash, for example script-src 'nonce-<random>' - 3
Change Content-Security-Policy
Add frame-ancestors 'none' to stop clickjacking through framing - 4
Change Set-Cookie (sessionid)
Set-Cookie: sessionid=8f3b2a; Secure; SameSite=Lax; Path=/; Max-Age=3600; HttpOnly