block 2 · online
osint/lab
Log inSign up
Security Headers Checker · dev-docs

Reading the Output

How to interpret the checker's findings without over- or under-reading them.

status
Published
slug
reading-the-output
published
Apr 20, 2026
Security Headers Checker

Reading the Output

Each header in the report has three possible outcomes:

  1. Present and reasonable — the header exists and its value matches a common baseline.
  2. Present but weak — the header exists but its value is permissive (for example a CSP containing unsafe-inline).
  3. Missing — the header is not set at all.

A missing header is not always a problem

A CSP, for instance, can be expensive to roll out on a large legacy site and is sometimes replaced by other controls (a server-side sanitizer, a WAF, SRI on all script tags). The absence of a header is a question worth asking, not a verdict.

Turning findings into actions

  • Write down what you saw and the date you saw it — headers change.
  • Map each finding to a specific threat model (clickjacking, XSS, downgrade, etc.).
  • Prioritize by blast radius (authenticated pages vs. the marketing homepage).
last published Apr 20, 2026