CodeAva
All examples
Security

Security Headers Report Sample

api.example.com·March 2025Sample report

This sample report shows a CodeAva HTTP security header analysis for a public API endpoint. Four critical headers are entirely absent — HSTS, CSP, X-Frame-Options, and Referrer-Policy — leaving the site exposed to protocol downgrade, XSS, clickjacking, and referrer leakage attacks. Two warnings and four passing checks were also recorded.

40

/ 100

Overall Score

4

Critical issues

2

Warnings

4

Passed checks

10

Total checks

Strict-Transport-Security (HSTS) missing

critical

HSTS instructs browsers to only access the site over HTTPS for a set period. Without it, users are vulnerable to SSL stripping attacks on first visit and protocol downgrade attacks.

Expected header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Current response: header not present

Content-Security-Policy (CSP) missing

critical

A CSP header defines which sources the browser is permitted to load for scripts, styles, images, and other resources. Its absence leaves the site fully open to cross-site scripting (XSS) attacks.

Expected header: Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-...'; Current response: header not present Risk: High — no XSS mitigation at the transport layer

X-Frame-Options missing

critical

Without X-Frame-Options or a CSP frame-ancestors directive, this page can be embedded in an iframe by any third-party site, enabling clickjacking attacks.

Expected header: X-Frame-Options: DENY or Content-Security-Policy: frame-ancestors 'none' Current response: header not present

Referrer-Policy missing

critical

No Referrer-Policy is set. By default, browsers may send the full URL (including path and query string) in the Referer header to third-party sites, leaking sensitive URL parameters.

Expected header: Referrer-Policy: strict-origin-when-cross-origin Current response: header not present

Server header exposes software version

warning

The Server response header reveals the web server software and version. This information aids fingerprinting and targeted exploit searches.

Current: Server: nginx/1.24.0 Recommended: Server: nginx (or suppress entirely)

Permissions-Policy not set

warning

No Permissions-Policy header controls which browser features (camera, microphone, geolocation) are accessible. While not critical, setting this reduces the attack surface.

Recommended: Permissions-Policy: camera=(), microphone=(), geolocation=()

Recommended fixes

1Low effort

Add Strict-Transport-Security

Add the HSTS header with a 1-year max-age, includeSubDomains, and preload. Submit to the HSTS preload list once confirmed working.

2Low effort

Add X-Frame-Options: DENY

A single response header addition eliminates clickjacking risk. Can also be set via CSP frame-ancestors once CSP is implemented.

3Low effort

Add Referrer-Policy header

Set to strict-origin-when-cross-origin to limit referrer leakage while maintaining analytics functionality for same-origin navigation.

4High effort

Implement a Content Security Policy

Start with a report-only CSP to audit violations before enforcing. Use nonces for inline scripts and restrict script-src to known origins.

5Low effort

Suppress or genericise the Server header

Configure nginx to either remove the Server header or set it to a generic value, reducing fingerprinting surface.

Run this audit on your own project

This is a sample report. Get your own scored results by pasting a URL or code snippet.

Check your headers Audit your website