HTTP headers

cloudflare.com response headers

https://cloudflare.com/ HTTP 301 grade D
GRADE D
HTTP 301 · grade D.
HEAD · 32ms
1s ago
What this means

Several security headers are missing or misconfigured. Each missing header opens a specific class of attack surface — they're cheap to add at the reverse-proxy or framework level.

Security headers

C
Strict-Transport-Security
max-age=15780000; includeSubDomains
HSTS max-age is 15780000s. Best practice is ≥ 31536000 (1 year).
D
Content-Security-Policy
— missing
No Content-Security-Policy header. Even a basic policy mitigates a class of XSS attacks.
D
X-Frame-Options
— missing
No X-Frame-Options header. Use CSP frame-ancestors 'none' (preferred) or X-Frame-Options: DENY.
C
X-Content-Type-Options
— missing
No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff.
C
Referrer-Policy
— missing
No Referrer-Policy header. The browser default leaks the full URL on cross-origin requests.
C
Permissions-Policy
— missing
No Permissions-Policy header. Without it, every browser API the page might not need (geolocation, camera, etc.) stays available.

Warnings

Caching

Cache-Control
max-age=3600
Expires
Sat, 25 Apr 2026 06:40:10 GMT

Cookies (1)

__cf_bm SecureHttpOnlySameSite

Server & transport

Server
cloudflare

What to try next

Add HSTS first

Single line at the reverse proxy: Strict-Transport-Security: max-age=31536000; includeSubDomains.

Lock down framing

Either Content-Security-Policy: frame-ancestors 'none' (preferred) or X-Frame-Options: DENY.

Stop MIME sniffing

X-Content-Type-Options: nosniff — costs nothing, blocks one class of XSS.

All response headers (14)

alt-svc
h3=":443"; ma=86400
cache-control
max-age=3600
cf-ray
9f1b02ee091b9c67-IAD
connection
keep-alive
content-length
167
content-type
text/html
date
Sat, 25 Apr 2026 05:40:10 GMT
expires
Sat, 25 Apr 2026 06:40:10 GMT
location
https://www.cloudflare.com/
nel
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HQHxv2%2Fd9YnSgjbGOWrJz2%2FwtOEjWZL%2BXAGJP51fm2qm0M%2BBC3MvmlcZXLnXaKGTTcaVzAVdagAHQcety21JBUOYvD9doqTSmCk4rWvL7fRUQwWhdXu7N5za3moriAiv"}],"group":"cf-nel","max_age":604800}
server
cloudflare
set-cookie
__cf_bm=kNlEPBbP7zxoUTqBPizZxyughEILh81TLwGkh4FeW0k-1777095610-1.0.1.1-VM47KqdEELaMyXtJCwhxa6VWzhCSelsp1A6g7rIXalMkBqRRGXYeYrGUND56W_bJqR.Kt.ipugr_WfcqCNp6ohkdVXnNUxqMxQwquwpzVFg; path=/; expires=Sat, 25-Apr-26 06:10:10 GMT; domain=.cloudflare.com; HttpOnly; Secure
strict-transport-security
max-age=15780000; includeSubDomains

Methodology

Probe
We open a HEAD request to https://{host}/ (falling back to GET on 405 / 501), capture every response header, and grade the six load-bearing security headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The overall letter grade is the average of those six.
Counts as DOWN
The HEAD (and GET fallback) request fails to complete — DNS, TCP, TLS, or timeout. Nothing to grade.
Counts as DEGRADED
Reserved for grade C / D — common security headers present but weakened, or some missing. The probe still returns full data; the grade reflects production-readiness.
Detail
We do not test for known CVEs, fingerprint application versions, or attempt downgrade attacks. The probe is a single request — what the server returned to a generic client. CSP grading is intentionally crude (penalises wildcard sources and 'unsafe-eval'); a manual review is the right move for fine-grained CSP work.
Cadence
Every 5 minutes, in parallel across 4 monitoring regions (US East Virginia, US West Oregon, Europe London, Asia Singapore).
Rate-limited targets
If a host returns 429 or consistently drops connections from our IPs, we cap retries at 3 and report the last observed status — we do not flood the target to confirm the outage.
Data source
Direct probes from our monitoring infrastructure. We do not aggregate crowd reports, Twitter mentions, or DownDetector signals — every result on this page is a live network request.