Check Detail
medscribehub.com · HEADER
Incomplete
Grade D
57.7%
Result Detail
HEADERAlerts
- Permissions-Policy: Permissions-Policy missing
- Cross-Origin-Opener-Policy: Header missing
- Cross-Origin-Embedder-Policy: Header missing
- Cross-Origin-Resource-Policy: Header missing
- Expect-CT: Expect-CT missing
- X-Permitted-Cross-Domain-Policies: Header missing
- Access-Control-Allow-Origin: Access-Control-Allow-Origin missing
- Server: Sensitive header exposed
- Origin-Agent-Cluster: Header missing
Normalized headers
| date | Tue, 26 May 2026 06:30:17 GMT |
|---|---|
| content-type | text/html |
| content-length | 19166 |
| server | Apache |
| vary | X-Forwarded-Proto,Accept-Encoding |
| last-modified | Mon, 18 May 2026 14:26:48 GMT |
| etag | "4ade-652185a4dba00" |
| accept-ranges | bytes |
| strict-transport-security | max-age=31536000; includeSubDomains; preload |
| referrer-policy | same-origin |
| x-content-type-options | nosniff |
| x-frame-options | SAMEORIGIN |
| x-xss-protection | 1; mode=block |
| cache-control | no-cache, no-store, max-age=0, must-revalidate |
| pragma | no-cache |
| content-security-policy | script-src 'self' 'unsafe-eval' *.fonts.gstatic.com *.google-analytics.com *.googletagmanager.com *.paytm.in *.paytmpayments.com https://devpacs.kxstage.com *.googleapis.com https://*.kxstage.com:8443 *.agora.io *.agoraio.cn *.gstatic.com *.google.com *.jquery.com *.alpha.phit.in *.razorpay.com *.userway.org 'unsafe-inline'; object-src 'self'; font-src * data:; img-src 'self' *.fonts.gstatic.com *.google-analytics.com *.googletagmanager.com *.paytm.in *.paytmpayments.com https://devpacs.kxstage.com *.googleapis.com https://*.kxstage.com:8443 *.agora.io *.agoraio.cn *.gstatic.com *.google.com *.jquery.com *.alpha.phit.in *.razorpay.com *.userway.org 'unsafe-inline' data: blob:; |
Transport
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Strict-Transport-Security | ✅ Passed | max-age=31536000; includeSubDomains; preload | max-age>=15768000; includeSubDomains; preload | HSTS policy robust | Critical | Strict-Transport-Security: max-age=63072000; includeSubDomains; preload |
| Expect-CT | ❌ Missing | enforce; max-age>=86400 | Expect-CT missing | Medium | Expect-CT: enforce, max-age=86400, report-uri="https://report.example.com" |
Content Security
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Content-Security-Policy | ✅ Passed | script-src 'self' 'unsafe-eval' *.fonts.gstatic.com *.google-analytics.com *.googletagmanager.com *.paytm.in *.paytmpayments.com https://devpacs.kxstage.com *.googleapis.com https://*.kxstage.com:8443 *.agora.io *.agoraio.cn *.gstatic.com *.google.com *.jquery.com *.alpha.phit.in *.razorpay.com *.userway.org 'unsafe-inline'; object-src 'self'; font-src * data:; img-src 'self' *.fonts.gstatic.com *.google-analytics.com *.googletagmanager.com *.paytm.in *.paytmpayments.com https://devpacs.kxstage.com *.googleapis.com https://*.kxstage.com:8443 *.agora.io *.agoraio.cn *.gstatic.com *.google.com *.jquery.com *.alpha.phit.in *.razorpay.com *.userway.org 'unsafe-inline' data: blob:; | default-src 'self'; frame-ancestors 'none' | default-src 'self'; frame-ancestors 'none' | Critical | Content-Security-Policy: default-src 'self'; frame-ancestors 'none' |
MIME
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| X-Content-Type-Options | ✅ Passed | nosniff | nosniff | Value matches recommendation | High | X-Content-Type-Options: nosniff |
Framing
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| X-Frame-Options | ✅ Passed | SAMEORIGIN | DENY or SAMEORIGIN | Value accepted | High | X-Frame-Options: DENY |
Privacy
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Referrer-Policy | ✅ Passed | same-origin | strict-origin-when-cross-origin / same-origin | strict-origin-when-cross-origin | Medium | Referrer-Policy: strict-origin-when-cross-origin |
Browser Features
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Permissions-Policy | ❌ Missing | camera=(); geolocation=(); microphone=() | Permissions-Policy missing | Medium | Permissions-Policy: camera=(), geolocation=(), microphone=() |
Cross-Origin
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Cross-Origin-Opener-Policy | ❌ Missing | same-origin | Header missing | High | Cross-Origin-Opener-Policy: same-origin | |
| Cross-Origin-Embedder-Policy | ❌ Missing | require-corp | Header missing | High | Cross-Origin-Embedder-Policy: require-corp | |
| Cross-Origin-Resource-Policy | ❌ Missing | same-origin | Header missing | Medium | Cross-Origin-Resource-Policy: same-origin | |
| Origin-Agent-Cluster | ❌ Missing | ?1 | Header missing | Low | Origin-Agent-Cluster: ?1 |
Caching
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Cache-Control | ✅ Passed | no-cache, no-store, max-age=0, must-revalidate | no-store, private, max-age=0 | no-store, private, max-age=0 | High | Cache-Control: no-store, private, max-age=0 |
Legacy
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| X-Permitted-Cross-Domain-Policies | ❌ Missing | none | Header missing | Low | X-Permitted-Cross-Domain-Policies: none |
CORS
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Access-Control-Allow-Origin | ❌ Missing | Scoped origin (no wildcard) | Access-Control-Allow-Origin missing | Medium | Access-Control-Allow-Origin: https://app.example.com |
Information Disclosure
| Check name | Status | Actual | Expected | Detail | Severity | Recommendation |
|---|---|---|---|---|---|---|
| Server | ❌ Missing | Apache | Header removed or generic | Sensitive header exposed | High | Remove Server header or set to a generic token |
| X-Powered-By | ✅ Passed | Header removed | Header not exposed | High | Remove X-Powered-By header | |
| X-AspNet-Version | ✅ Passed | Header removed | Header not exposed | Medium | Remove framework version headers |
Raw headers
HTTP/2 200 date: Tue, 26 May 2026 06:30:17 GMT content-type: text/html content-length: 19166 server: Apache vary: X-Forwarded-Proto,Accept-Encoding last-modified: Mon, 18 May 2026 14:26:48 GMT etag: "4ade-652185a4dba00" accept-ranges: bytes strict-transport-security: max-age=31536000; includeSubDomains; preload referrer-policy: same-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block cache-control: no-cache, no-store, max-age=0, must-revalidate pragma: no-cache content-security-policy: script-src 'self' 'unsafe-eval' *.fonts.gstatic.com *.google-analytics.com *.googletagmanager.com *.paytm.in *.paytmpayments.com https://devpacs.kxstage.com *.googleapis.com https://*.kxstage.com:8443 *.agora.io *.agoraio.cn *.gstatic.com *.google.com *.jquery.com *.alpha.phit.in *.razorpay.com *.userway.org 'unsafe-inline'; object-src 'self'; font-src * data:; img-src 'self' *.fonts.gstatic.com *.google-analytics.com *.googletagmanager.com *.paytm.in *.paytmpayments.com https://devpacs.kxstage.com *.googleapis.com https://*.kxstage.com:8443 *.agora.io *.agoraio.cn *.gstatic.com *.google.com *.jquery.com *.alpha.phit.in *.razorpay.com *.userway.org 'unsafe-inline' data: blob:;