Results forcloudflare.com

www.cloudflare.com com

Registrar

Creation Date

DNSSEC

Security Headers Score

HTTPS Enabled

score-mid

/ 100 points

Issues Found (5)

Missing: content-security-policy
Recommendation: Controls resources the browser can load. Prevents XSS.
Missing: cross-origin-opener-policy
Recommendation: Controls cross-origin window access. Recommended: same-origin
Missing: cross-origin-resource-policy
Recommendation: Controls cross-origin resource access. Recommended: same-origin
Missing: cross-origin-embedder-policy
Recommendation: Controls cross-origin embedding. Recommended: require-corp
Missing recommended header: content-security-policy
Recommendation: Review and fix this security issue

Successes (8)

x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=31536000; includeSubDomains
referrer-policy: strict-origin-when-cross-origin
permissions-policy: geolocation=(), camera=(), microphone=()
x-xss-protection: 1; mode=block
HSTS configured with max-age: 31536000 seconds
HTTPS is enabled

Security Headers (10)

Header	Value	Recommendation
`content-security-policy`	Not set	Controls resources the browser can load. Prevents XSS.
`x-content-type-options`	`nosniff`	Prevents MIME type sniffing. Should be 'nosniff'.
`x-frame-options`	`SAMEORIGIN`	Controls framing. Use CSP frame-ancestors instead.
`strict-transport-security`	`max-age=31536000; includeSubDomains`	Forces HTTPS. Recommended: max-age=31536000; includeSubDomains
`referrer-policy`	`strict-origin-when-cross-origin`	Controls referrer info. Recommended: strict-origin-when-cross-origin
`permissions-policy`	`geolocation=(), camera=(), microphone=()`	Controls browser features. Recommended: camera=(), microphone=(), geolocation=()
`x-xss-protection`	`1; mode=block`	Deprecated. Use Content-Security-Policy instead.
`cross-origin-opener-policy`	Not set	Controls cross-origin window access. Recommended: same-origin
`cross-origin-resource-policy`	Not set	Controls cross-origin resource access. Recommended: same-origin
`cross-origin-embedder-policy`	Not set	Controls cross-origin embedding. Recommended: require-corp

Raw Headers (32)

date:Sat, 18 Apr 2026 07:42:05 GMT

content-type:text/html; charset=utf-8

transfer-encoding:chunked

connection:keep-alive

vary:accept-encoding

strict-transport-security:max-age=31536000; includeSubDomains

permissions-policy:geolocation=(), camera=(), microphone=()

referrer-policy:strict-origin-when-cross-origin

x-content-type-options:nosniff

x-frame-options:SAMEORIGIN

x-xss-protection:1; mode=block

x-rm:GW

set-cookie:cf_willow_version_key=2e70aa1e-4335-47f1-9781-8c41b39870e8; Path=/; SameSite=Strict; Secure; HttpOnly

set-cookie:_cfms_willow=enable; Max-Age=1209600; path=/; domain=.www.cloudflare.com; SameSite=Strict; Secure

set-cookie:cf_willow_version_key=; Domain=www.cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:cf_willow_version_key=; Domain=.www.cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:cf_willow_version_key=; Domain=cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:cf_willow_version_key=; Domain=.cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:_cfms_willow=; Domain=www.cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:_cfms_willow=; Domain=.www.cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:_cfms_willow=; Domain=cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:_cfms_willow=; Domain=.cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:=; Domain=www.cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:=; Domain=.www.cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:=; Domain=cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:=; Domain=.cloudflare.com; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/

set-cookie:__cf_bm=FqLWOQzXqU3XK4_XfHVSVxvSWHDkg1.UVvpmyM_Iptw-1776498125.1663454-1.0.1.1-Y49Q7ETlpd0BvDiHCOo7b70eNWdIST9HfBmL8_ur9NrifBP60PxsAWLsJZ19g.WxhKnFsKZ3yY19cssdkDcyIUjffrM25ZrPdv4qLTnCCP7kb6Kc.ra.D357P7RqehH9KE9F3_jKGmJADSzr3YCoEQ; HttpOnly; Secure; Path=/; Domain=www.cloudflare.com; Expires=Sat, 18 Apr 2026 08:12:05 GMT

report-to:{"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=M%2FSU%2B7dtSnnuBBNG4iLTuWIRpg4aA8yR37swrd3nGdF%2FT9tuLM77z%2BYs1UMnORIlxHmZFFsxhNlAI9YsJWHZsKssmkdsxFgI5BhMnTXsrUb%2F9ldFF11DuRYy2QmMsf4%2BQwL3aQ%3D%3D"}]}

nel:{"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}

server:cloudflare

cf-ray:9ee207e24f5eb497-ARN

alt-svc:h3=":443"; ma=86400

Errors (5)

Missing header: content-security-policy
Missing header: cross-origin-opener-policy
Missing header: cross-origin-resource-policy
Missing header: cross-origin-embedder-policy
Missing recommended header: content-security-policy

Status

Header

Value

Recommendation

content-security-policy

Not set

Controls resources the browser can load. Prevents XSS.

x-content-type-options

nosniff

Prevents MIME type sniffing. Should be 'nosniff'.

x-frame-options

SAMEORIGIN

Controls framing. Use CSP frame-ancestors instead.

strict-transport-security

max-age=31536000; includeSubDomains

Forces HTTPS. Recommended: max-age=31536000; includeSubDomains

referrer-policy

strict-origin-when-cross-origin

Controls referrer info. Recommended: strict-origin-when-cross-origin

permissions-policy

geolocation=(), camera=(), microphone=()

Controls browser features. Recommended: camera=(), microphone=(), geolocation=()

x-xss-protection

1; mode=block

Deprecated. Use Content-Security-Policy instead.

cross-origin-opener-policy

Not set

Controls cross-origin window access. Recommended: same-origin

cross-origin-resource-policy

Not set

Controls cross-origin resource access. Recommended: same-origin

cross-origin-embedder-policy

Not set

Controls cross-origin embedding. Recommended: require-corp