What we analyze
HTTP security headers are instructions the server sends to the browser indicating how it should behave to protect the user. Their absence or misconfiguration leaves the door open to multiple attack vectors.
Headers verified
Strict-Transport-Security (HSTS)
Forces HTTPS connections, prevents downgrade and MITM attacks.
Content-Security-Policy (CSP)
Controls which resources the page can load, mitigating XSS attacks.
X-Frame-Options
Prevents the page from being embedded in iframes, protecting against clickjacking.
X-Content-Type-Options
Prevents MIME-sniffing that could execute malicious files.
X-XSS-Protection
Activates the browser's anti-XSS filter (legacy but still relevant).
Referrer-Policy
Controls what referrer information is sent in requests.
Why is it important?
Without these headers, your website is vulnerable to attacks such as Cross-Site Scripting (XSS), clickjacking, malicious content injection and information theft. They are an easy-to-implement defense layer but frequently forgotten.
Impact if it fails
- Execution of malicious scripts in the user's browser
- Cookie and session token theft
- User deception through clickjacking
- Fraudulent content injection
Applicable Legal Framework
Article 5 of GDPR establishes the principle of integrity and confidentiality of data. Failure to implement basic security headers can be considered a lack of diligence in data protection.
Potential Sanctions
| Company Type | Indicative Fine |
|---|---|
| Micro-enterprise | 5,000 - 40,000 € |
| SME | 40,000 - 300,000 € |
| Large Enterprise | Up to 10M € or 2% turnover |