Security Rules
Rules for validating security best practices.
security-headers
Validates presence of security HTTP headers.
Checked Headers
Content-Security-Policy (CSP)X-Frame-OptionsX-Content-Type-OptionsStrict-Transport-Security (HSTS)Referrer-PolicyPermissions-Policy
Requires
HTTP headers to be passed to analyzer. CLI passes these automatically for live URLs.
Examples
Info (missing headers):
<!-- Response headers -->
<!-- Info: Missing Content-Security-Policy header -->
<!-- Info: Missing X-Frame-Options header -->
<!-- Info: Missing HSTS header (for HTTPS sites) -->
Pass:
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
Configuration
rules: {
'security-headers': {
severity: 'info',
},
}
https
Checks page uses HTTPS and detects mixed content.
Checks
Page URL uses HTTPS
No HTTP resources on HTTPS pages
No mixed active content (scripts, iframes)
No mixed passive content (images)
Examples
Warning (HTTP page):
Analyzing: http://example.com
<!-- Warning: Page not using HTTPS -->
Warning (mixed content):
<!-- Page: https://example.com -->
<script src="http://cdn.example.com/app.js"></script>
<!-- Warning: Mixed content: HTTP script on HTTPS page -->
<img src="http://example.com/image.jpg">
<!-- Warning: Mixed content: HTTP image on HTTPS page -->
Pass:
<!-- Page: https://example.com -->
<script src="https://cdn.example.com/app.js"></script>
<img src="https://example.com/image.jpg">
<!-- or use protocol-relative URLs -->
<script src="//cdn.example.com/app.js"></script>
Configuration
rules: {
'https': {
severity: 'warning',
},
}
external-scripts
Validates CDN scripts have Subresource Integrity (SRI).
Checks
External scripts have integrity attribute
External scripts have crossorigin attribute
SRI hash is valid format
Examples
Warning:
<script src="https://cdn.example.com/lib.js"></script>
<!-- Warning: External script missing integrity attribute -->
Pass:
<script
src="https://cdn.example.com/lib.js"
integrity="sha384-abc123..."
crossorigin="anonymous"
></script>
Pass (same origin):
<script src="/js/app.js"></script>
<!-- Same origin, SRI not required -->
Why SRI Matters
If a CDN is compromised, SRI prevents loading malicious code. The browser verifies the hash matches before executing.
Configuration
rules: {
'external-scripts': {
severity: 'warning',
},
}
form-security
Checks forms for security best practices.
Checks
Password forms use POST method
Form actions use HTTPS
Autocomplete attributes set appropriately
Examples
Warning (GET for passwords):
<form action="/login" method="GET">
<input type="password" name="pass">
</form>
<!-- Warning: Password form should use POST, not GET -->
Warning (HTTP action):
<!-- Page: https://example.com -->
<form action="http://example.com/submit">
<input type="text" name="data">
</form>
<!-- Warning: Form action should use HTTPS -->
Pass:
<form action="https://example.com/login" method="POST">
<input type="email" name="email" autocomplete="email">
<input type="password" name="password" autocomplete="current-password">
<button type="submit">Login</button>
</form>
Configuration
rules: {
'form-security': {
severity: 'warning',
},
}
Security Checklist
HTTPS
Headers
Scripts
Forms
Recommended Headers
# Nginx example
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()";
# Apache example
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
