Security Module¶
Module ID: security | Type: Core (always enabled) | Weight: 25%
The Security module checks HTML for mixed content and inline script risks, and when HTTP response headers are available, validates the presence and configuration of critical security headers.
What It Checks¶
| Check | What It Looks For |
|---|---|
| HSTS | Strict-Transport-Security header with adequate max-age |
| CSP | Content-Security-Policy header present and not overly permissive |
| X-Frame-Options | Protection against clickjacking |
| X-Content-Type-Options | nosniff to prevent MIME-type sniffing |
| Referrer-Policy | Controls referrer information leakage |
| Permissions-Policy | Restricts access to browser features (camera, mic, geolocation) |
| Mixed content | HTTP resources loaded on HTTPS pages |
| External link safety | rel="noopener" on target="_blank" links |
| Inline scripts | Detects inline scripts that could indicate XSS vectors |
Scoring Breakdown¶
| Criterion | Deduction | Condition |
|---|---|---|
| Missing HSTS | -15 | No Strict-Transport-Security header |
| HSTS max-age too low | -5 | max-age below 31536000 (1 year) |
| Missing CSP | -15 | No Content-Security-Policy header |
| CSP uses unsafe-inline | -5 | Allows inline scripts/styles |
| CSP uses unsafe-eval | -5 | Allows eval() |
| Missing X-Frame-Options | -10 | No clickjacking protection |
| Missing X-Content-Type-Options | -5 | No MIME sniffing protection |
| Missing Referrer-Policy | -5 | No referrer control |
| Missing Permissions-Policy | -5 | No feature restriction |
| Mixed content found | -10 per resource | HTTP resources on HTTPS pages |
| External links without noopener | -3 | target="_blank" without rel="noopener" |
Auto-Detection¶
This module is always enabled. It runs on every audit.
When response headers are not available (e.g. when analysing a static HTML file), the module checks only HTML-level signals (mixed content, external links, inline scripts) and notes that header checks were skipped.
Example Findings¶
P0 CRITICAL: Missing Content-Security-Policy header
Without a CSP, the site is vulnerable to cross-site scripting (XSS) attacks.
Browsers will load scripts from any origin.
Fix: Add a Content-Security-Policy header. Start with a report-only policy
to identify what needs whitelisting.
Effort: Medium
P1 HIGH: Mixed content detected (3 resources)
HTTP resources are loaded on an HTTPS page, triggering browser warnings
and potentially breaking functionality.
Fix: Update all resource URLs to use HTTPS.
Effort: Low
P2 MEDIUM: HSTS max-age below recommended minimum
Current max-age is 86400 (1 day). Recommended minimum is 31536000 (1 year)
for HSTS preload eligibility.
Fix: Set max-age=31536000; includeSubDomains; preload
Effort: Low
Platform-Specific Fixes¶
FAT Agent includes fix references for configuring security headers on:
- Nginx --
add_headerdirectives - Apache --
.htaccessHeader rules - Netlify --
_headersfile ornetlify.toml - Vercel --
vercel.jsonheaders configuration - Cloudflare Pages --
_headersfile - Next.js --
next.config.jsheaders array - Docker -- Nginx config within container
Related¶
- DNS & Infrastructure module -- checks DNSSEC, CAA, SSL expiry
- Cookie & GDPR module -- checks consent and privacy compliance