Security Headers

10 tests verify automatic injection of security headers.

HDR-001INJECTED

Content-Security-Policy

Content-Security-Policy: default-src 'self'

CSP header is automatically added to prevent XSS attacks.

HDR-002INJECTED

Strict-Transport-Security

Strict-Transport-Security: max-age=31536000; includeSubDomains

HSTS header enforces HTTPS connections.

X-Frame-Options

Prevents clickjacking by controlling iframe embedding.

X-Content-Type-Options

Prevents MIME type sniffing attacks.