HTTP Security & Mixed Content Issues
7 Intentional IssuesDemonstrates missing or misconfigured HTTP security headers: HSTS, CSP, X-Frame-Options, Referrer-Policy, and mixed content.
HTTPS & Mixed Content#1Issue #1: HTTPS not enforced or SSL certificate invalid#2Issue #2: Mixed content: HTTP assets loaded on HTTPS page#185Issue #185: Mixed active content: inline scripts loading over HTTP
↑ Image loaded over HTTP on an HTTPS page (Issue #2, #185)
Strict-Transport-Security (HSTS)#136Issue #136: HSTS header not set on server responses
Missing header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Without HSTS, browsers will not automatically upgrade HTTP connections to HTTPS, leaving users vulnerable to downgrade attacks.
Content-Security-Policy (CSP)#137Issue #137: CSP header not configured — XSS vulnerability
Missing header:
Content-Security-Policy: default-src 'self'; script-src 'self'
No CSP header means this page is vulnerable to cross-site scripting (XSS). Google considers site security a ranking signal.
Referrer-Policy & X-Frame-Options#139Issue #139: Referrer-Policy header not set#140Issue #140: X-Frame-Options header missing — clickjacking risk
Missing headers:
Referrer-Policy: no-referrer-when-downgrade
X-Frame-Options: SAMEORIGIN
Without these headers, this site leaks referrer data and is vulnerable to clickjacking attacks.