SiteReveal checks 9 security signals covering every header evaluated by SecurityHeaders.io, OWASP, and Mozilla Observatory — plus AI-generated fix recommendations for each gap. This page documents exactly how each signal is detected, scored, and weighted.
The security dimension is scored out of 100 from 9 independent signals. It contributes 25% of the composite WIS™ score — the highest weight of any single dimension, reflecting the critical importance of security to user trust and search engine ranking.
Each signal is detected from live HTTP response headers and the rendered DOM. Click any header to see the exact detection logic, point value, and recommended fix.
Restricts which resources (scripts, styles, images) the browser may load. Prevents XSS att…
Restricts which resources (scripts, styles, images) the browser may load. Prevents XSS attacks by blocking inline scripts and unauthorised external sources.
Start with a strict CSP: `default-src 'self'; script-src 'self' 'nonce-{random}'; object-src 'none'; base-uri 'none'`. Use the CSP Evaluator tool at csp-evaluator.withgoogle.com to validate.
Forces browsers to use HTTPS for all future requests, preventing SSL-stripping attacks and…
Forces browsers to use HTTPS for all future requests, preventing SSL-stripping attacks and accidental HTTP connections.
Set `max-age` to at least 31536000 (1 year). Add `includeSubDomains` and `preload` once you are confident all subdomains support HTTPS.
Prevents the page from being embedded in iframes on other domains, blocking clickjacking a…
Prevents the page from being embedded in iframes on other domains, blocking clickjacking attacks.
Use `DENY` unless you specifically need iframe embedding. If you do need embedding, use CSP's `frame-ancestors` directive instead — it supersedes X-Frame-Options in modern browsers.
Prevents browsers from MIME-sniffing a response away from the declared Content-Type, block…
Prevents browsers from MIME-sniffing a response away from the declared Content-Type, blocking content-injection attacks.
Always set `nosniff`. This is a one-liner with no downsides for correctly-typed responses.
Controls how much referrer information is sent with outbound requests. Prevents leaking se…
Controls how much referrer information is sent with outbound requests. Prevents leaking sensitive URL paths to third-party analytics and ad networks.
Use `strict-origin-when-cross-origin` as the safe default. This sends the full URL for same-origin requests but only the origin for cross-origin requests.
Restricts which browser APIs (camera, microphone, geolocation, payment) the page and its i…
Restricts which browser APIs (camera, microphone, geolocation, payment) the page and its iframes may access. Reduces the attack surface for malicious third-party scripts.
Disable all APIs you do not use: `Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()`. Allowlist only what your application genuinely requires.
Ensures that externally-hosted scripts and stylesheets have not been tampered with by veri…
Ensures that externally-hosted scripts and stylesheets have not been tampered with by verifying a cryptographic hash before execution.
Add `integrity` and `crossorigin` attributes to all `<script>` and `<link>` tags that load from CDNs. Generate hashes at srihash.org.
Isolates the browsing context from cross-origin documents, preventing Spectre-class side-c…
Isolates the browsing context from cross-origin documents, preventing Spectre-class side-channel attacks that can leak sensitive data from memory.
Set `same-origin` for maximum isolation. If you use OAuth popups or payment flows that open cross-origin windows, use `same-origin-allow-popups` instead.
All traffic must be served over HTTPS with a valid TLS certificate. HTTP connections expos…
All traffic must be served over HTTPS with a valid TLS certificate. HTTP connections expose user data to interception and are penalised by Google in search rankings.
Use TLS 1.2 or 1.3. Disable TLS 1.0 and 1.1. Use a certificate from a trusted CA (Let's Encrypt is free). Redirect all HTTP to HTTPS with a 301.
All three tools check overlapping sets of security headers. Here is how they compare on coverage, AI insights, and historical tracking.
| Tool | Headers checked | Free | AI fixes | Score history | Notes |
|---|---|---|---|---|---|
| SiteReveal | 9 | All 9 headers + AI recommendations + score history | |||
| SecurityHeaders.io | 8 | Gold standard for header grading; no AI insights or history | |||
| Mozilla Observatory | 11 | Broader checks including cookies and redirects; no AI | |||
| OWASP ZAP | 30 | Full DAST scanner; requires installation; not a quick check |
Get a full 9-signal security audit with AI fix recommendations in under 30 seconds. No account required.
