HTTP headers

cloudflare.com response headers

https://cloudflare.com/ HTTP 301 grade D
GRADE D
HTTP 301 · grade D.
HEAD · 50ms
1s ago
What this means

Several security headers are missing or misconfigured. Each missing header opens a specific class of attack surface — they're cheap to add at the reverse-proxy or framework level.

Security headers

C
Strict-Transport-Security
max-age=15780000; includeSubDomains
HSTS max-age is 15780000s. Best practice is ≥ 31536000 (1 year).
D
Content-Security-Policy
— missing
No Content-Security-Policy header. Even a basic policy mitigates a class of XSS attacks.
D
X-Frame-Options
— missing
No X-Frame-Options header. Use CSP frame-ancestors 'none' (preferred) or X-Frame-Options: DENY.
C
X-Content-Type-Options
— missing
No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff.
C
Referrer-Policy
— missing
No Referrer-Policy header. The browser default leaks the full URL on cross-origin requests.
C
Permissions-Policy
— missing
No Permissions-Policy header. Without it, every browser API the page might not need (geolocation, camera, etc.) stays available.

Warnings

Caching

Cache-Control
max-age=3600
Expires
Thu, 30 Apr 2026 01:00:12 GMT

Cookies (1)

__cf_bm SecureHttpOnlySameSite

Server & transport

Server
cloudflare

What to try next

Add HSTS first

Single line at the reverse proxy: Strict-Transport-Security: max-age=31536000; includeSubDomains.

Lock down framing

Either Content-Security-Policy: frame-ancestors 'none' (preferred) or X-Frame-Options: DENY.

Stop MIME sniffing

X-Content-Type-Options: nosniff — costs nothing, blocks one class of XSS.

All response headers (14)

alt-svc
h3=":443"; ma=86400
cache-control
max-age=3600
cf-ray
9f4243cc9b7a3934-IAD
connection
keep-alive
content-length
167
content-type
text/html
date
Thu, 30 Apr 2026 00:00:12 GMT
expires
Thu, 30 Apr 2026 01:00:12 GMT
location
https://www.cloudflare.com/
nel
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2H1ap7mutzVGhp7wiklQqgcdMIFGirUJJec6aglO1coWT%2FsI8iHCYrUCCazngLViZiohhxU7X8VGSE2XrXXhkmCzwySWqfYXY17qXR1TTz3%2BWu%2FAgUNiGHKR%2B%2FjdEi0Q"}],"group":"cf-nel","max_age":604800}
server
cloudflare
set-cookie
__cf_bm=gCFamgpFDR8r.IFhJyhA0JWqhMgdS2sV1ksvtcxjxxk-1777507212-1.0.1.1-XabLSNonaF3GaqiubujAbwFRcDTeUJTRK762aDNxQzGh5OxeAbuLtgttJP5bmZT_cgDsBAx3YOUqaVDXUJy_YUTtohK8pMoCl7OLvEZUyMI; path=/; expires=Thu, 30-Apr-26 00:30:12 GMT; domain=.cloudflare.com; HttpOnly; Secure
strict-transport-security
max-age=15780000; includeSubDomains

Methodology

Probe
We open a HEAD request to https://{host}/ (falling back to GET on 405 / 501), capture every response header, and grade the six load-bearing security headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The overall letter grade is the average of those six.
Counts as DOWN
The HEAD (and GET fallback) request fails to complete — DNS, TCP, TLS, or timeout. Nothing to grade.
Counts as DEGRADED
Reserved for grade C / D — common security headers present but weakened, or some missing. The probe still returns full data; the grade reflects production-readiness.
Detail
We do not test for known CVEs, fingerprint application versions, or attempt downgrade attacks. The probe is a single request — what the server returned to a generic client. CSP grading is intentionally crude (penalises wildcard sources and 'unsafe-eval'); a manual review is the right move for fine-grained CSP work.
Cadence
Every 5 minutes, in parallel across 4 monitoring regions (US East Virginia, US West Oregon, Europe London, Asia Singapore).
Rate-limited targets
If a host returns 429 or consistently drops connections from our IPs, we cap retries at 3 and report the last observed status — we do not flood the target to confirm the outage.
Data source
Direct probes from our monitoring infrastructure. We do not aggregate crowd reports, Twitter mentions, or DownDetector signals — every result on this page is a live network request.