Sample report — demo data2026-06-11 14:32 UTC · 2.8s · 5 findings

https://example-shop.io/checkout

Caution · 55/100Medium risk

Critical: 0
High: 2
Medium: 4
Low: 3
Passed: 10

Plain-English summary

This page is served over HTTPS but is missing several modern security headers, sets two third-party tracking cookies before consent, and loads analytics scripts from three external hosts. Nothing here indicates phishing or active malice — the risk profile is privacy leakage and weakened defense-in-depth, not deception.

How the score was computed

Base score: 100
No Content-Security-Policy header: -14
Tracking cookies set before consent: -14
HSTS max-age below one year: -7
Insecure redirect in chain: -7
Referrer-Policy not set: -3
Final score: 55

Findings

5 items · sorted by severity

F-01

No Content-Security-Policy header

Headers

Without CSP, any injected script runs with full page privileges. One XSS bug becomes full account compromise.

High

F-02

Tracking cookies set before consent

Privacy

Two third-party advertising cookies are written on first paint, before any consent interaction is possible.

High

F-03

HSTS max-age below one year

Headers

max-age=86400 leaves a daily window where a downgrade attack can strip TLS on first visit.

Medium

F-04

Insecure redirect in chain

Redirects

Hop 2 passes through plain HTTP before re-upgrading. Credentials or tokens in the URL would transit unencrypted.

Medium

F-05

Referrer-Policy not set

Privacy

Full URLs, including query parameters, leak to every third-party host the page contacts.

Low

Redirect chain

4 hops

00
http://example-shop.io/checkout
301 · initial request
01
http://www.example-shop.io/checkout
302 · insecure hop
02
https://www.example-shop.io/checkout
301 · TLS upgrade
03
https://example-shop.io/checkout
200 · final destination

Cookies / privacy

4 set on load

_ga_4XK2.example-shop.io · first-party

SecureSameSite=LaxMissing HttpOnlyLifetime 730 days (over 1 year)

Low

_fbp.facebook.com · third-party

SecureSameSite=NoneMissing HttpOnly

Medium

IDE.doubleclick.net · third-party

SecureSameSite=NoneMissing HttpOnly

Medium

session_idexample-shop.io · first-party

SecureHttpOnlySameSite=Strict

Pass

Security headers

graded against OWASP secure headers project

HeaderObserved / NoteResult

Strict-Transport-Security

max-age=86400

Present but max-age is 1 day; recommend ≥ 31536000 with includeSubDomains.

Medium

Content-Security-Policy

Missing. No restriction on script, style, or frame sources.

Missing

X-Frame-Options

SAMEORIGIN

Clickjacking protection in place.

Pass

X-Content-Type-Options

nosniff

MIME sniffing disabled.

Pass

Referrer-Policy

Missing. Browsers fall back to strict-origin-when-cross-origin, but explicit is safer.

Missing

Permissions-Policy

Missing. Camera, microphone, and geolocation are not explicitly denied.

Missing

Cross-Origin-Opener-Policy

same-origin

Browsing context is isolated from cross-origin windows.

Pass

Cross-Origin-Resource-Policy

same-origin

Other origins are restricted from embedding these resources.

Pass

Third-party scripts

3 external hosts

www.googletagmanager.com

Tag management / analytics

Low

connect.facebook.net

Advertising pixel

Medium

static.hotjar.com

Session recording

Medium

Third-party scripts are external code loaded by the page. They are not automatically bad, but each one can read page content and affect privacy and security.

Fix guidance

Close the gaps

Ordered by impact. Each fix includes the exact value to ship.

Deploy a Content-Security-Policy

Start in report-only mode, observe violations for a week, then enforce. Even a loose policy kills the majority of injected-script attacks.

response header

Content-Security-Policy: default-src 'self'; script-src 'self' www.googletagmanager.com; object-src 'none'; base-uri 'self'

+ Platform examples (4)

next.config.ts

const nextConfig = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [{
        key: 'Content-Security-Policy',
        value: "default-src 'self'; object-src 'none'; base-uri 'self'",
      }],
    }]
  },
}

express + helmet

import helmet from 'helmet'

app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    objectSrc: ["'none'"],
    baseUri: ["'self'"],
  },
}))

nginx

add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'" always;

cloudflare pages — _headers

/*
  Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'

Extend HSTS to one year and preload

A 1-day max-age protects almost nothing. Set a full year, include subdomains, and submit to the browser preload list.

response header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

+ Platform examples (4)

next.config.ts

headers: [{
  key: 'Strict-Transport-Security',
  value: 'max-age=31536000; includeSubDomains; preload',
}]

express + helmet

app.use(helmet.hsts({
  maxAge: 31536000,
  includeSubDomains: true,
  preload: true,
}))

nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

cloudflare pages — _headers

/*
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Gate tracking cookies behind consent

Load the Facebook pixel and DoubleClick tags only after an affirmative consent event. This is a compliance issue in the EU and several US states, not just hygiene.

Remove the insecure redirect hop

Redirect http://www directly to the final https origin in one hop. Every intermediate HTTP hop is an interception point.

nginx

server {
  listen 80;
  server_name example-shop.io www.example-shop.io;
  return 301 https://example-shop.io$request_uri;
}

Run another scan