Security Report Summary Raw Headers HTTP /1.4 Content-Length Content-Type xefhtinl;charset=UTE-8 Last-Modified Accept-Ranges ETagSet-Cookie Content Security: ley X-Content-Security-Policy X-Content-Type-Options X-Frame-Options XxS5-Protection X-Powered-By Date |JSESSIONID=08952A418A6F1E23BBED9F6B4A7AD76D; Path=/ptavenezia/; HttpOnly frame-ancestors ‘self nosniff nosnitf SAMEORIGIN, 1 ARR/3.0 Fri, 22 Jul 2016 09:08:54 GMT Server Content-Security-Policy X-Content-Security-Policy X-Content-Type-Options X-Frame-Options X-XSS-Protection X-Powered-By Additional Information This Server header seems to advertise the software being run on the server but you can remove or change this value. Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail X Content Security Policy Is required for CSP support in IE 10 and IE 11. For other modern browsers the Content-Security-Policy header should be used. X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces itto stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff. X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks ike clickjacking, X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Pratection: 1; mode=block”, X-Powered-By can usually be seen with values like “PHP/S,5,9-1ubuntud.5* or “ASP.NET”. Trying to minimise the amount of information you give out about your server is a good idea. This header seems to have been altered to remove such information, but could still be removed. A scotthelme.co.uk project - CC-BY-SA 4.0 oe e ° 8