HTTP headers

github.com response headers

https://github.com/ HTTP 200 grade A

GRADE A

HTTP 200 · grade A.

HEAD · 13ms

1s ago

What this means

Strong header hygiene — the major security headers are present and configured at modern defaults. Re-check after deploys; CSP is the one most likely to silently regress.

Security headers

Strict-Transport-Security

max-age=31536000; includeSubdomains; preload

Content-Security-Policy

default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com git

X-Frame-Options

deny

X-Content-Type-Options

nosniff

Referrer-Policy

origin-when-cross-origin, strict-origin-when-cross-origin

Referrer-Policy is "origin-when-cross-origin, strict-origin-when-cross-origin" — consider strict-origin-when-cross-origin.

Permissions-Policy

— missing

No Permissions-Policy header. Without it, every browser API the page might not need (geolocation, camera, etc.) stays available.

Warnings

Referrer-Policy is "origin-when-cross-origin, strict-origin-when-cross-origin" — consider strict-origin-when-cross-origin.
No Permissions-Policy header. Without it, every browser API the page might not need (geolocation, camera, etc.) stays available.
At least one Set-Cookie is missing HttpOnly — JavaScript can read it (XSS risk surface).

Caching

Cache-Control: max-age=0, private, must-revalidate
ETag: W/"213a812aff5fe17816ae70983e6a7241"

Cookies (3)

_gh_sess SecureHttpOnlySameSite=lax

_octo SecureHttpOnlySameSite=lax

logged_in SecureHttpOnlySameSite=lax

Server & transport

Server: github.com

What to try next

Lock in CSP

If your CSP is good today, set up a CSP report-only deploy gate to catch silent regressions.

Pair with /ssl

Verify HSTS is consistent with the cert at /ssl/github.com.

Monitor

Re-run after every deploy. Most security-header regressions land via reverse-proxy config drift.

All response headers (16)

accept-ranges: bytes
cache-control: max-age=0, private, must-revalidate
content-language: en-US
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.gith
content-type: text/html; charset=utf-8
date: Sat, 25 Apr 2026 05:43:10 GMT
etag: W/"213a812aff5fe17816ae70983e6a7241"
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
server: github.com
set-cookie: _gh_sess=ZEpWJRJxIiz2D3%2FI79ne%2FIL9Whl44i6HhKhmeioaXyGBHwmu0eI12YP9vu88CWC%2BIzpSbZKbeef%2Bouo1k4kKTLTFyjrGfICAZhynwrNBGElZwtjPlIM44eE1SLVna3PfENtU4r%2FMrsTO1Y9tRaoRyjEmoBuVs2IWFkVA3VH0%2F1neKJJmyn%2F1UBmUFMYKy0F7aUWAkN2AweqxnzIAp2AXaR1bGSJ9QAZo%2B9aCieTO0UCsTRcuyId2%2BeaXmA6FxZMpxjpBnsHLWiUHmzRMoE4UvA%3D%3D--ct8lPaaKbToH%2BCti--8B%2FA4GkmK3fElkr37cq3qQ%3D%3D; path=/; HttpOnly; secure; SameSite=Lax, _octo=GH1.1.1218158515.1777095797; expires=Sun, 25 Apr 2027 05:43:17 GMT; domain=.github.com; path=/; secure; SameSite=Lax, logged_in=no; expires=Sun, 25 Apr 2027 05:43:17 GMT; domain=.github.com
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept-Language, Sec-Fetch-Site,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-github-request-id: D70C:13071C:3A2C901:48E6426:69EC5475
x-xss-protection: 0

Methodology

Probe: We open a HEAD request to https://{host}/ (falling back to GET on 405 / 501), capture every response header, and grade the six load-bearing security headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The overall letter grade is the average of those six.
Counts as DOWN: The HEAD (and GET fallback) request fails to complete — DNS, TCP, TLS, or timeout. Nothing to grade.
Counts as DEGRADED: Reserved for grade C / D — common security headers present but weakened, or some missing. The probe still returns full data; the grade reflects production-readiness.
Detail: We do not test for known CVEs, fingerprint application versions, or attempt downgrade attacks. The probe is a single request — what the server returned to a generic client. CSP grading is intentionally crude (penalises wildcard sources and 'unsafe-eval'); a manual review is the right move for fine-grained CSP work.
Cadence: Every 5 minutes, in parallel across 4 monitoring regions (US East Virginia, US West Oregon, Europe London, Asia Singapore).
Rate-limited targets: If a host returns 429 or consistently drops connections from our IPs, we cap retries at 3 and report the last observed status — we do not flood the target to confirm the outage.
Data source: Direct probes from our monitoring infrastructure. We do not aggregate crowd reports, Twitter mentions, or DownDetector signals — every result on this page is a live network request.