Security Headers Agent
security.check.jsWhat This Agent Does
The Security Headers Agent examines HTTP response headers that protect against common web vulnerabilities like XSS, clickjacking, MIME-type sniffing, and insecure connections.
Category Information
| Property | Value |
|---|---|
| Category Name | Security & HTTPS |
| Category Icon | |
| Source File | src/checks/security.check.js |
Headers Checked
Content-Security-Policy (CSP)
Restricts which resources can be loaded, preventing XSS and data injection attacks.
HighStrict-Transport-Security (HSTS)
Forces browsers to use HTTPS, preventing downgrade attacks.
CriticalX-Frame-Options
Prevents clickjacking by controlling iframe embedding.
HighX-Content-Type-Options
Prevents MIME-type sniffing attacks.
MediumX-XSS-Protection
Legacy XSS filter (deprecated but still checked).
LowReferrer-Policy
Controls what referrer information is sent with requests.
MediumPermissions-Policy
Controls which browser features can be used.
MediumData Sources
Primary Input
HTTP response headers from the target URL obtained via axios.get()
Libraries Used
axios— HTTP client for fetching the target URL
How Headers Are Read
const response = await axios.get(url, { timeout: 15000 });
const headers = response.headers;
// Check for specific header
const csp = headers['content-security-policy'];
const hsts = headers['strict-transport-security'];Score Calculation
Each security header contributes to the overall Security score based on:
- Presence of the header
- Proper configuration (not just present, but correctly set)
- Severity weighting of the check
Return Value
{
category: 'Security & HTTPS',
icon: 'lock',
score: 0-100,
checks: [
{
name: 'Content-Security-Policy',
status: 'pass' | 'fail' | 'warn',
description: 'CSP header present and properly configured',
severity: 'high'
},
// ... more header checks
]
}