| 10021 |
X-Content-Type-Options Header Missing |
release |
Low |
Passive |
| 10038-1 |
Content Security Policy (CSP) Header Not Set |
release |
Medium |
Passive |
| 10038-2 |
Obsolete Content Security Policy (CSP) Header Found |
release |
Informational |
Passive |
| 10038-3 |
Content Security Policy (CSP) Report-Only Header Found |
release |
Informational |
Passive |
| 10055-1 |
CSP: X-Content-Security-Policy |
release |
Low |
Passive |
| 10055-2 |
CSP: X-WebKit-CSP |
release |
Low |
Passive |
| 10055-3 |
CSP: Notices |
release |
Low |
Passive |
| 10055-4 |
CSP: Wildcard Directive |
release |
Medium |
Passive |
| 10055-5 |
CSP: script-src unsafe-inline |
release |
Medium |
Passive |
| 10055-6 |
CSP: style-src unsafe-inline |
release |
Medium |
Passive |
| 10055-7 |
CSP: script-src unsafe-hashes |
release |
Medium |
Passive |
| 10055-8 |
CSP: style-src unsafe-hashes |
release |
Medium |
Passive |
| 10055-9 |
CSP: Malformed Policy (Non-ASCII) |
release |
Medium |
Passive |
| 10055-10 |
CSP: script-src unsafe-eval |
release |
Medium |
Passive |
| 10055-11 |
CSP: Meta Policy Invalid Directive |
release |
Medium |
Passive |
| 10055-12 |
CSP: Header & Meta |
release |
Informational |
Passive |
| 10055-13 |
CSP: Failure to Define Directive with No Fallback |
release |
Medium |
Passive |
| 10063-1 |
Permissions Policy Header Not Set |
beta |
Low |
Passive |
| 90004-1 |
Cross-Origin-Resource-Policy Header Missing or Invalid |
beta |
Low |
Passive |
| 90004-2 |
Cross-Origin-Embedder-Policy Header Missing or Invalid |
beta |
Low |
Passive |
| 90004-3 |
Cross-Origin-Opener-Policy Header Missing or Invalid |
beta |
Low |
Passive |
| 100016 |
Missing Security Headers |
alpha |
Low |
Script Passive |
| 200005-1 |
Missing Content-Security-Policy header |
alpha |
Low |
Tool |
| 200005-2 |
CSP allows inline/eval or wildcards in script/style |
alpha |
Low |
Tool |
| 200005-3 |
CSP 'frame-ancestors' missing or overly broad |
alpha |
Low |
Tool |
| 200005-4 |
CSP Report-Only present without enforcing CSP |
alpha |
Low |
Tool |
| 200005-5 |
Missing Strict-Transport-Security header (on HTTPS) |
alpha |
Low |
Tool |
| 200005-6 |
Strict-Transport-Security sent over HTTP (ineffective) |
alpha |
Low |
Tool |
| 200005-7 |
HSTS max-age too low or missing includeSubDomains |
alpha |
Low |
Tool |
| 200005-8 |
X-Powered-By header or equivalent present |
alpha |
Low |
Tool |
| 200005-9 |
Server banner discloses software/version |
alpha |
Low |
Tool |
| 200005-10 |
Missing or invalid X-Content-Type-Options |
alpha |
Low |
Tool |
| 200005-11 |
X-XSS-Protection header is a legacy directive |
alpha |
Low |
Tool |
| 200005-12 |
Expect-CT is deprecated |
alpha |
Low |
Tool |
| 200005-13 |
COOP set without COEP/CORP (incomplete cross-origin isolation) |
alpha |
Low |
Tool |
| 200005-14 |
COEP present but value is not 'require-corp' or 'credentialless' |
alpha |
Low |
Tool |
| 200005-15 |
Deprecated Feature-Policy or unknown/overly-permissive Permissions-Policy |
alpha |
Low |
Tool |
| 200005-16 |
Missing or weak Referrer-Policy |
alpha |
Low |
Tool |
| 200005-17 |
Clear-Site-Data present but missing executionContexts |
alpha |
Low |
Tool |
| 200005-18 |
Clear-Site-Data uses wildcard * |
alpha |
Low |
Tool |
| 200005-19 |
CORS allows any origin with credentials |
alpha |
Low |
Tool |
| 200005-20 |
Sensitive cookies missing security flags |
alpha |
Low |
Tool |
| 200005-21 |
Potentially authenticated content lacks no-store |
alpha |
Low |
Tool |
| 200005-22 |
Public-Key-Pins is deprecated |
alpha |
Low |
Tool |
| 200005-23 |
COOP present but value is not 'same-origin' |
alpha |
Low |
Tool |