{
"url": "https://www.wikipedia.org",
"score": 6,
"summary": {
"missing": 11,
"warnings": 0,
"notices": 1
},
"caches": [
"Website",
"Browser"
],
"headers": {
"content-length": {
"value": "126",
"findings": [
{
"severity": "info",
"message": "The size of the message body, in bytes."
}
]
},
"content-type": {
"value": "text/plain",
"findings": [
{
"severity": "info",
"message": "The type of the message body, specified as a MIME type."
}
]
},
"x-request-id": {
"value": "b133fd0c-0716-4482-b1b5-84b87a51e330",
"findings": [
{
"severity": "info",
"message": "A unique identifier for the HTTP request. This can be useful for tracking a request through complex systems or for debugging purposes."
}
]
},
"server": {
"value": "haproxy",
"findings": [
{
"severity": "info",
"message": "Identifies the software used by the origin server to handle the request (e.g. Apache, Nginx, Cloudflare)."
},
{
"severity": "notice",
"message": "Consider removing or minimizing the Server header. Even without a version number, it reveals the server software, which aids reconnaissance."
}
]
},
"x-cache": {
"value": "cp1114 int",
"findings": [
{
"severity": "info",
"message": "Indicates whether the page was served from a cache. Common values: HIT (served from cache), MISS (fetched from origin)."
}
]
},
"x-cache-status": {
"value": "int-tls",
"findings": [
{
"severity": "info",
"message": "Indicates how the caching system processed this request."
}
]
},
"x-analytics": {
"value": "",
"findings": [
{
"severity": "info",
"message": "A custom header used to pass analytics metadata, often seen on Wikimedia sites."
}
]
}
},
"missing": {
"strict-transport-security": {
"message": "Add a Strict-Transport-Security header. The Strict-Transport-Security header or HSTS header is used to instruct browsers to only use HTTPS, instead of using HTTP. It helps enforce secure communication."
},
"content-security-policy": {
"message": "Add a Content-Security-Policy header. The Content-Security-Policy header helps browsers prevent cross site scripting (XSS) and data injection attacks."
},
"referrer-policy": {
"message": "Add a Referrer-Policy header. When a visitor navigates from one page to another, browsers often pass along referrer information. The Referrer-Policy header controls how much referrer information a browser can share. This is important to configure when private information is embedded in the path or query string and passed onto an external destination."
},
"permissions-policy": {
"message": "Add a Permissions-Policy header. Restrict access to device features like the camera, microphone, location, accelerometer and much more."
},
"cross-origin-embedder-policy": {
"message": "Add a Cross-Origin-Embedder-Policy header. It requires cross-origin resources to explicitly consent before this page can load them, protecting those resources from being exposed to Spectre-style timing attacks. Together with Cross-Origin-Opener-Policy, it enables cross-origin isolation and access to SharedArrayBuffer."
},
"cross-origin-opener-policy": {
"message": "Add a Cross-Origin-Opener-Policy header. It prevents other sites from retaining a window reference to this page when opened via window.open() or navigation, blocking script-based attacks through shared browsing contexts."
},
"cross-origin-resource-policy": {
"message": "Add a Cross-Origin-Resource-Policy header. It controls which origins can embed or load this page's resources (images, scripts, etc.), preventing hotlinking and cross-origin data leaks."
},
"x-frame-options": {
"message": "Add a X-Frame-Options header. The X-Frame-Options header prevents this URL from being embedded in an iframe. This protects against clickjacking attacks. Alternatively, set a Content-Security-Policy header with a frame-ancestors directive."
},
"x-content-type-options": {
"message": "Add an X-Content-Type-Options: nosniff header to prevent browsers from MIME type sniffing. Without it, browsers may interpret files as a different content type than intended, which can lead to security vulnerabilities."
},
"x-permitted-cross-domain-policies": {
"message": "Add a X-Permitted-Cross-Domain-Policies header to prevent Flash, Adobe Reader and other clients from sharing data across domains."
},
"content-encoding": {
"message": "No Content-Encoding header found. Enable compression such as gzip or br (Brotli) to reduce transfer sizes. Brotli typically achieves 15–20% better compression than gzip and is supported by all modern browsers."
}
}
}