Guides on security headers, TLS configuration, Content Security Policy, and more.
Controls which resources can be loaded and executed on your website.
Content-Security-Policy: default-src 'self'; scrip...Forces browsers to use HTTPS connections only, preventing downgrade attacks.
Strict-Transport-Security: max-age=31536000; inclu...Controls whether your website can be embedded in frames or iframes.
X-Frame-Options: SAMEORIGINPrevents browsers from MIME-sniffing content types.
X-Content-Type-Options: nosniffControls how much referrer information is sent with requests.
Referrer-Policy: strict-origin-when-cross-originControls which browser features and APIs can be used.
Permissions-Policy: geolocation=(), camera=(), mic...Prevents cross-origin data leakage and enables advanced web features.
Cross-Origin-Embedder-Policy: require-corpPrevents cross-origin window manipulation and popup attacks.
Cross-Origin-Opener-Policy: same-originControls which origins can load your website's resources.
Cross-Origin-Resource-Policy: same-originConfigures per-document behaviours like disabling document.write. Chromium only.
Document-Policy: document-write=?0Requires Subresource Integrity so scripts without a valid hash are blocked.
Integrity-Policy: blocked-destinations=(script), e...Controls cross-domain policy file access for legacy plugins.
X-Permitted-Cross-Domain-Policies: nonePrevents Internet Explorer from automatically downloading files.
X-Download-Options: noopenControls DNS prefetching behavior in browsers.
X-DNS-Prefetch-Control: offControls whether the page runs in its own origin agent cluster.
Origin-Agent-Cluster: ?1Clears browser data for your website when specified.
Clear-Site-Data: "cache", "cookies", "storage"Upgrades HTTP requests to HTTPS automatically.
Upgrade-Insecure-Requests: 1Securing cookies with HttpOnly, Secure, and SameSite attributes.
Set-Cookie: sessionId=abc123; HttpOnly; Secure; Sa...Cross-Origin policies, information disclosure prevention, and best practices.
Certificate validation, cipher suites, forward secrecy, and testing methods.
Directive parsing, common issues, auditing techniques, and recommendations.
How COEP, COOP, and CORP protect against Spectre and enable powerful APIs.
Prevent HTTP headers from revealing server details to attackers.
TLS 1.2 and 1.3 handshakes, cipher negotiation, and forward secrecy.
Find and fix HTTP resources on HTTPS pages to maintain security.
SPF, DMARC, DKIM for email auth, CAA records, and DNSSEC validation.
RFC 9116 fields, deployment steps, and vulnerability disclosure setup.
Nonces, strict-dynamic, CSS-in-JS, and common pitfalls for React apps.
Configure report-uri and report-to, filter extension noise, and monitor CSP violations in production.
Deploy CSP on WordPress with plugins, themes, and WooCommerce support.
Allowlist reference for Google Analytics, Stripe, PayPal, HubSpot, and more.
How HSTS prevents SSL stripping, 307 internal redirects, and preload lists.
Replace unsafe-inline with nonces, hashes, and strict-dynamic for real XSS protection.
HttpOnly, Secure, SameSite explained with session hijacking and CSRF prevention.
What security headers are, why they matter, and the fastest way to check any site.
Five common reasons headers go missing or stay ineffective, and how to diagnose each one.
Headers vanish after deploys. Certs expire. Why a one-time scan is not enough and what monitoring catches.
Set up daily automated scans, understand change detection, and read your email digest.
What your security headers score means, which factors affect it, and how to improve it.
Complete reference with copy-paste configurations for Apache, Nginx, and Node.js.
Side by side comparison of free security header scanners for 2026.
How SiteSecurityScore compares to ImmuniWeb for security header analysis, free scan limits, and API access.
Unlimited free header analysis vs a pentest platform with a 2 scan per day free tier. Side by side comparison.
Every comparison in one place. How SiteSecurityScore lines up against header checkers, TLS scanners, DAST tools, and pentest platforms.
Free instant configuration layer scan with no account, next to Barrion's paid platform with AI pentesting and GitHub code scanning.
Scan a live page for front end libraries running versions with known CVEs, with the version and advisory for each.
Instant zero setup posture scan next to ZAP's local DAST proxy. When to use each.
Automated header and config audit next to the manual pentester's proxy toolkit.
Free posture first pass next to Acunetix's paid DAST and IAST application testing.
No license header and TLS scan next to enterprise proof based DAST.
Fast config read without a sales call, next to a full attack surface management platform.
Free header and CSP scan with fix generators next to Probely's paid DAST for apps and APIs.
Free API friendly posture scan next to StackHawk's developer first pipeline DAST.
Free config monitoring next to Intruder's paid infrastructure and web vulnerability scanning.
Web application header and config layer next to Nessus network and host vulnerability scanning.
Free header focused scan with fix generators next to multi engine hosted vulnerability scanning.
Why a single scan goes stale fast, and what scheduled re-scans with alerts actually catch.
Where a human audit wins, where automation wins, and how to combine them without overspending.
How continuous scanning covers the long blind window between yearly penetration tests.
Defense in depth explained. Six concentric rings from session identity to monitoring, and what breaks when each one fails.
Seven layers every site owner should verify, from TLS and headers to cookies and DNS.
Implement security headers, harden TLS, deploy a WAF, lock down cookies, and set up monitoring.
How HTTP hops expose cookies, enable SSL stripping, and block HSTS preload eligibility.
Protect your site from compromised CDNs by verifying external scripts and stylesheets with integrity hashes.
HTTPS encrypts the connection. HSTS makes sure the browser never skips it. Why you need both.
AI tools like Cursor, Bolt, and Lovable build apps that work but almost never add security protections. Scan yours before you go live.
Connect SiteSecurityScore to Claude Code via MCP so Claude can scan, read results, and fix security issues in the same conversation.
Wire SiteSecurityScore into ChatGPT Codex, Cursor, and Windsurf via MCP so your AI coding agent can scan and fix security issues in the same session.
Which OWASP Top 10 categories security headers address, and which risks fall outside their scope.
How a dangling DNS record lets an attacker claim your subdomain, and how to find and prevent it.
Which ports should never face the internet, how attackers find them, and how to reduce your exposure.
Create a Content Security Policy from scratch with walkthroughs for common site types.
Configure HSTS headers correctly with preload enrollment and incremental rollout.
Control browser feature access with Permissions Policy for privacy and compliance.
Configure CORS safely, understand preflight requests, and debug cross-origin errors.
Scan your site and see which security headers are missing.