HTTP headers

wikipedia.org response headers

https://wikipedia.org/ HTTP 403 grade D

GRADE D

HTTP 403 · grade D.

HEAD · 49ms

1s ago

What this means

Several security headers are missing or misconfigured. Each missing header opens a specific class of attack surface — they're cheap to add at the reverse-proxy or framework level.

Security headers

Strict-Transport-Security

— missing

No Strict-Transport-Security header. Add at least max-age=31536000; includeSubDomains.

Content-Security-Policy

— missing

No Content-Security-Policy header. Even a basic policy mitigates a class of XSS attacks.

X-Frame-Options

— missing

No X-Frame-Options header. Use CSP frame-ancestors 'none' (preferred) or X-Frame-Options: DENY.

X-Content-Type-Options

— missing

No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff.

Referrer-Policy

— missing

No Referrer-Policy header. The browser default leaks the full URL on cross-origin requests.

Permissions-Policy

— missing

No Permissions-Policy header. Without it, every browser API the page might not need (geolocation, camera, etc.) stays available.

Warnings

No Strict-Transport-Security header. Add at least max-age=31536000; includeSubDomains.
No Content-Security-Policy header. Even a basic policy mitigates a class of XSS attacks.
No X-Frame-Options header. Use CSP frame-ancestors 'none' (preferred) or X-Frame-Options: DENY.
No X-Content-Type-Options header. Add X-Content-Type-Options: nosniff.
No Referrer-Policy header. The browser default leaks the full URL on cross-origin requests.
No Permissions-Policy header. Without it, every browser API the page might not need (geolocation, camera, etc.) stays available.

Server & transport

Server: HAProxy

What to try next

Add HSTS first

Single line at the reverse proxy: Strict-Transport-Security: max-age=31536000; includeSubDomains.

Lock down framing

Either Content-Security-Policy: frame-ancestors 'none' (preferred) or X-Frame-Options: DENY.

Stop MIME sniffing

X-Content-Type-Options: nosniff — costs nothing, blocks one class of XSS.

Pair with /ssl

Inspect the cert at /ssl/wikipedia.org.

All response headers (7)

content-length: 126
content-type: text/plain
server: HAProxy
x-analytics
x-cache: cp1100 int
x-cache-status: int-tls
x-request-id: 68676757-68b4-4c8f-ab57-4c510ba40fb0

Methodology

Probe: We open a HEAD request to https://{host}/ (falling back to GET on 405 / 501), capture every response header, and grade the six load-bearing security headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The overall letter grade is the average of those six.
Counts as DOWN: The HEAD (and GET fallback) request fails to complete — DNS, TCP, TLS, or timeout. Nothing to grade.
Counts as DEGRADED: Reserved for grade C / D — common security headers present but weakened, or some missing. The probe still returns full data; the grade reflects production-readiness.
Detail: We do not test for known CVEs, fingerprint application versions, or attempt downgrade attacks. The probe is a single request — what the server returned to a generic client. CSP grading is intentionally crude (penalises wildcard sources and 'unsafe-eval'); a manual review is the right move for fine-grained CSP work.
Cadence: Every 5 minutes, in parallel across 4 monitoring regions (US East Virginia, US West Oregon, Europe London, Asia Singapore).
Rate-limited targets: If a host returns 429 or consistently drops connections from our IPs, we cap retries at 3 and report the last observed status — we do not flood the target to confirm the outage.
Data source: Direct probes from our monitoring infrastructure. We do not aggregate crowd reports, Twitter mentions, or DownDetector signals — every result on this page is a live network request.