| Missing Security Header - X-Frame-Options (XFO) |
X-Frame-Options (XFO) header provides protection against Clickjacking attacks. |
| Missing Security Header - Content-Security-Policy (CSP) |
Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found. |
| Use Strict |
Strict Mode allows you to place a program, or a function, in a "strict" operating context. This strict context prevents certain actions from being taken and throws more exceptions. |
| Missing Security Header - Strict-Transport-Security (HSTS) |
Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server. |
| Missing 'httpOnly' in Cookie |
JavaScript can access Cookies if they are not marked httpOnly. |
| Infromation Disclosure - X-Powered-By |
Remove the X-Powered-By header to prevent information gathering. |
| Missing Security Header - X-Content-Type-Options |
X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. |
| Missing Security Header - X-Download-Options: noopen |
X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context. |
| Missing Security Header - X-XSS-Protection:1 |
X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers. |
| Missing Security Header - Public-Key-Pins (HPKP) |
Public-Key-Pins (HPKP) ensures that certificate is Pinned. |