🛡️

Security Score — HTTPヘッダー & OWASP — AISeen Docs

AISeenのセキュリティスコア：HSTS、CSP、X-Frame-Options、cookieフラグ。OWASP 2025基準でA〜F評価。

HTTP Security Headers

These headers are sent from your server with every HTTP response. Each one prevents a specific class of attack.

Strict-Transport-Security(HSTS)Critical — -15 pts if missing

Forces browsers to use HTTPS for all future requests. Prevents attackers from intercepting traffic by downgrading to HTTP.

Prevents:SSL stripping, protocol downgrade attacks

Recommended:max-age=31536000; includeSubDomains; preload

Content-Security-Policy(CSP)Critical — -15 pts if missing

Defines allowed content sources. Prevents malicious scripts from loading even if an attacker injects them into your page.

Prevents:Cross-Site Scripting (XSS), data injection

Recommended:default-src 'self'; script-src 'self'; object-src 'none'

X-Content-Type-Options(XCTO)High — -10 pts if missing

Prevents browsers from guessing a file's content type. Stops attackers from tricking the browser into executing a file as a different type.

Prevents:MIME sniffing, drive-by download attacks

Recommended:nosniff

X-Frame-Options(XFO)High — -10 pts if missing

Controls whether your page can be loaded in an <iframe>. Prevents attackers from tricking users into clicking hidden buttons on your site.

Prevents:Clickjacking

Recommended:DENY or SAMEORIGIN

Referrer-Policy(RP)Medium — -6 pts if missing

Controls how much referrer info is sent when users click links. Prevents leaking sensitive URL parameters to third-party sites.

Prevents:Referrer leakage, user privacy

Recommended:strict-origin-when-cross-origin

Permissions-Policy(PP)Medium — -6 pts if missing

Restricts what browser features third-party iframes can use. Prevents embedded content from accessing the camera, microphone, or location.

Prevents:Feature abuse (camera, mic, geolocation)

Recommended:camera=(), microphone=(), geolocation=()

Cross-Origin-Opener-Policy(COOP)Medium — -6 pts if missing

Isolates your page's browsing context. Prevents other origins from accessing your window object, protecting against Spectre-type attacks.

Prevents:Cross-origin attacks, Spectre

Recommended:same-origin

X-XSS-Protection(XXP)Low — -3 pts if missing

Legacy IE/Chrome XSS filter. Superseded by CSP but still checked for completeness. Modern browsers ignore it.

Prevents:Reflected XSS (legacy browsers)

Recommended:1; mode=block

Cookie Security Flags

FlagWhat it does

SecureCookie is only sent over HTTPS connections.

HttpOnlyCookie cannot be read by JavaScript (prevents XSS theft).

SameSiteControls cross-site cookie sending (prevents CSRF).

We check all cookies found in Set-Cookie response headers. Missing flags on session or auth cookies are flagged as High severity.

Information Leakage

Header

Server

Risk

Reveals web server name and version (e.g., Apache 2.4.51)

Fix

Set to a generic value or remove the header.

Header

X-Powered-By

Risk

Reveals backend technology (e.g., PHP/8.1, Express)

Fix

Remove this header entirely in your server config.

Header

X-AspNet-Version

Risk

Reveals .NET version running on the server

Fix

Disable in web.config or server middleware.

How scoring works

Score starts at 100. Each missing or misconfigured security header deducts points based on its severity. Cookie flag issues and leakage headers add further deductions.

Critical

-15 pts

per missing header

High

-10 pts

per missing header

Medium

-6 pts

per missing header

Low

-3 pts

per missing header

Score ranges

80 – 100

Secure (Grade A)

All critical headers present. Your site defends against XSS, clickjacking, and MITM attacks. Excellent baseline security.

50 – 79

Partial (Grade C)

Some headers missing. High-severity gaps remain open. Add HSTS and CSP as a priority.

0 – 49

Exposed (Grade F)

Critical headers missing. Site is vulnerable to XSS, clickjacking, and downgrade attacks. Urgent fix needed.

Security Score — HTTPヘッダー & OWASP — AISeen Docs

AISeenのセキュリティスコア：HSTS、CSP、X-Frame-Options、cookieフラグ。OWASP 2025基準でA〜F評価。

サイトを無料で監査 →