Security Headers Scanner

Automated weekly validation of your security headers configuration with zero code implementation required.

Key features

• No JWT token required

• Works independently of CSP monitoring

• Automatic weekly scans

• Email notifications for header issues

Step-by-Step Setup

1

Create Page Monitor

1. Go to Monitor > Pages in the console

2. Click "+ New Page Monitor"

3. Configure the page information:

   • Name: Monitor my Checkout Page

   • Description: Description of your payment page

   • Base URL: https://your-site.com/checkout (your payment page)

4. Enable Scan Headers

   1. Navigate to your page configuration

   2. Enable the toggle "Scan Headers"

   3. Select the security headers you want to monitor (up to 16 available). For more information about our available headers please go to Supported Security Headers

   4. Configure expected values for each header

5. Configure notifications:

   • Add email addresses that will receive alerts

   • The account owner's email is automatically included

6. Save the configuration

2

Verify Your Headers

Important: Firstoken Monitor will validate that your server is already sending the configured headers. Ensure your application/server is properly configured to send these security headers.

Scan Scheduling: After saving your configuration, the first security headers scan will be scheduled to run the following day in the morning. Subsequent scans will run automatically on a weekly basis.

Note: Scans are not immediate. Allow 24 hours for your first scan to complete. You will receive an email notification if any header misconfigurations or issues are detected.

---

Supported Security Headers

Header	Purpose/Function
Content-Security-Policy (CSP)	Controls script, style, iframe loading policy (XSS, skimming, MITM protection)
Content-Security-Policy-Report-Only	CSP testing mode (sends violation reports without blocking)
Report-To	Defines endpoint for CSP violation reports
Reporting-Endpoints	Latest version for centralizing security reports (CSP, COOP, CORP, etc.)
Cross-Origin-Embedder-Policy (COEP)	Isolates resources and documents to prevent Spectre-like attacks
Cross-Origin-Opener-Policy (COOP)	Restricts cross-origin window communication
Cross-Origin-Resource-Policy (CORP)	Prevents cross-origin resources from being loaded by other domains
Origin-Agent-Cluster	Origin isolation in modern browsers
Strict-Transport-Security (HSTS)	Enforces HTTPS usage and prevents HTTP downgrade
Upgrade-Insecure-Requests	Forces browsers to convert HTTP requests to HTTPS
Permissions-Policy	Restricts browser APIs (e.g., geolocation, camera, microphone)
Referrer-Policy	Controls Referer information exposed in outgoing requests
X-Frame-Options	Prevents site loading in malicious iframes (clickjacking protection)
X-Content-Type-Options	Prevents MIME sniffing attacks
X-XSS-Protection	Configures browser XSS filters
X-Permitted-Cross-Domain-Policies	Restricts Flash/Adobe data access

Configuration Example

During setup, select the header to configure ann assign the expected value:

Referrer-Policy

X-XSS-Protection

Permissions-Policy

X-Frame-Options

Strict-Transport-Security

strict-origin-when-cross-origin

1

geolocation=(self), camera=(), microphone=()

SAMEORIGIN

max-age=31536000; includeSubDomains

Comparison with Other Monitor Features

Resources and Script Inventory works alongside other Firstoken Monitor security tools:

Feature	Purpose	Implementation Required	Scanning Frequency
CSP Real-Time Monitoring	Detect runtime security violations	JavaScript code + CSP headers	Real-time continuous
Security Headers Scanner	Validate HTTP security headers	None	Weekly automated
Resources Inventory	Manage JavaScript and CSS inventory	None	Weekly automated

Each feature addresses different security and compliance requirements and can be used independently or together for comprehensive protection.