Presence is not perfection
A header can exist and still be too permissive for a specific application. Treat this as evidence, not a formal security audit.
Review HSTS, Content Security Policy, frame protection, nosniff, Referrer-Policy, and Permissions-Policy after safe redirects.
A header can exist and still be too permissive for a specific application. Treat this as evidence, not a formal security audit.
The checker follows safe redirects and scores the final response because that is what browsers actually render.
Headers like CSP and HSTS should be tested before strict rollout to avoid breaking legitimate site behavior.