Welcome - WAFDOG

Check Detail

heathrow.com · HEADER

Passed Grade C

65.4%

Hostname	heathrow.com
Check name	HEADER
last run	12/12/2025 09:48
Result	Passed Grade B 88.5%

Result Detail

HEADER

Alerts

Strict-Transport-Security: HSTS active but consider preload
Cross-Origin-Opener-Policy: Header missing
Cross-Origin-Embedder-Policy: Header missing
Cross-Origin-Resource-Policy: Header missing
Expect-CT: Expect-CT missing
X-Permitted-Cross-Domain-Policies: Header missing
Access-Control-Allow-Origin: Access-Control-Allow-Origin missing
Origin-Agent-Cluster: Header missing

Normalized headers

date	Fri, 12 Dec 2025 08:48:54 GMT
content-type	text/html;charset=utf-8
content-length	1150860
service-worker-allowed	/
x-frame-options	SAMEORIGIN
strict-transport-security	max-age=63072000; includeSubdomains;
permissions-policy	fullscreen=(self "https://www.youtube-nocookie.com"), microphone=(), camera=()
x-dispatcher	dispatcher3euwest2-b80
x-vhost	publish
x-content-type-options	nosniff
x-xss-protection	1; mode=block
content-security-policy	frame-ancestors 'self';; frame-ancestors 'self';
referrer-policy	strict-origin-when-cross-origin
vary	Accept-Encoding,User-Agent
x-cache	TCP_MISS
via	1.1 5321ce1f67b98139d1f43997aea9b44a.cloudfront.net (CloudFront)
x-amz-cf-pop	CDG50-P1
x-amz-cf-id	2V3l4hHpLF0CAmeyqHcAoguEeHchhEjdd0sdIVw01DYX2cBGWDYRbw==
x-azure-ref	20251212T084854Z-185d974d666h7gj4hC1FRAfzk800000006gg000000009twn
cache-control	public, max-age=300
x-fd-int-roxy-purgeid	0
accept-ranges	bytes

Transport

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Strict-Transport-Security	⚠️ Warning	max-age=63072000; includeSubdomains;	max-age>=15768000; includeSubDomains; preload	HSTS active but consider preload	Critical	Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Expect-CT	❌ Missing		enforce; max-age>=86400	Expect-CT missing	Medium	Expect-CT: enforce, max-age=86400, report-uri="https://report.example.com"

Content Security

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Content-Security-Policy	✅ Passed	frame-ancestors 'self';; frame-ancestors 'self';	default-src 'self'; frame-ancestors 'none'	default-src 'self'; frame-ancestors 'none'	Critical	Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

MIME

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
X-Content-Type-Options	✅ Passed	nosniff	nosniff	Value matches recommendation	High	X-Content-Type-Options: nosniff

Framing

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
X-Frame-Options	✅ Passed	SAMEORIGIN	DENY or SAMEORIGIN	Value accepted	High	X-Frame-Options: DENY

Privacy

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Referrer-Policy	✅ Passed	strict-origin-when-cross-origin	strict-origin-when-cross-origin / same-origin	strict-origin-when-cross-origin	Medium	Referrer-Policy: strict-origin-when-cross-origin

Browser Features

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Permissions-Policy	✅ Passed	fullscreen=(self "https://www.youtube-nocookie.com"), microphone=(), camera=()	camera=(); geolocation=(); microphone=()	camera=(); geolocation=(); microphone=()	Medium	Permissions-Policy: camera=(), geolocation=(), microphone=()

Cross-Origin

Check name	Status	Expected	Detail	Severity	Recommendation
Cross-Origin-Opener-Policy	❌ Missing	same-origin	Header missing	High	Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy	❌ Missing	require-corp	Header missing	High	Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy	❌ Missing	same-origin	Header missing	Medium	Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster	❌ Missing	?1	Header missing	Low	Origin-Agent-Cluster: ?1

Caching

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Cache-Control	✅ Passed	public, max-age=300	no-store, private, max-age=0	no-store, private, max-age=0	High	Cache-Control: no-store, private, max-age=0

Legacy

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
X-Permitted-Cross-Domain-Policies	❌ Missing		none	Header missing	Low	X-Permitted-Cross-Domain-Policies: none

CORS

Check name	Status	Actual	Expected	Detail	Severity	Recommendation
Access-Control-Allow-Origin	❌ Missing		Scoped origin (no wildcard)	Access-Control-Allow-Origin missing	Medium	Access-Control-Allow-Origin: https://app.example.com

Information Disclosure

Check name	Status	Expected	Detail	Severity	Recommendation
Server	✅ Passed	Header removed or generic	Header not exposed	High	Remove Server header or set to a generic token
X-Powered-By	✅ Passed	Header removed	Header not exposed	High	Remove X-Powered-By header
X-AspNet-Version	✅ Passed	Header removed	Header not exposed	Medium	Remove framework version headers

Raw headers

HTTP/2 200 
date: Fri, 12 Dec 2025 08:48:54 GMT
content-type: text/html;charset=utf-8
content-length: 1150860
service-worker-allowed: /
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=63072000; includeSubdomains;
permissions-policy: fullscreen=(self "https://www.youtube-nocookie.com"), microphone=(), camera=()
x-dispatcher: dispatcher3euwest2-b80
x-vhost: publish
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-security-policy: frame-ancestors 'self';
content-security-policy: frame-ancestors 'self';
referrer-policy: strict-origin-when-cross-origin
vary: Accept-Encoding,User-Agent
x-cache: TCP_MISS
via: 1.1 5321ce1f67b98139d1f43997aea9b44a.cloudfront.net (CloudFront)
x-amz-cf-pop: CDG50-P1
x-amz-cf-id: 2V3l4hHpLF0CAmeyqHcAoguEeHchhEjdd0sdIVw01DYX2cBGWDYRbw==
x-azure-ref: 20251212T084854Z-185d974d666h7gj4hC1FRAfzk800000006gg000000009twn
cache-control: public, max-age=300
x-fd-int-roxy-purgeid: 0
accept-ranges: bytes