Security Headers Scanner

Automated weekly validation of your security headers configuration with zero code implementation required.

Key features

• No JWT token required

• Works independently of CSP monitoring

• Automatic weekly scans

• Email notifications for header issues

Step-by-Step Setup

1

Create Page Monitor

1. Go to Monitor > Pages in the console

2. Click "+ New Page Monitor"

3. Configure the page information:

   • Name: Monitor my Checkout Page

   • Description: Description of your payment page

   • Base URL: https://your-site.com/checkout (your payment page)

   • URL patterns: NOT REQUIRED for Security Headers scanning

4. Activate Security Headers Monitoring

   1. Navigate to your page configuration

   2. Click the toggle "Set Up Headers"

   3. Select the security headers you want to monitor (up to 16 available). For more information about our available headers please go to Supported Security Headers

   4. Configure expected values for each header

5. Configure notifications:

   • Add email addresses that will receive alerts

   • The account owner's email is automatically included

6. Save the configuration

2

Verify Your Headers

Important: Firstoken Monitor will validate that your server is already sending the configured headers. Ensure your application/server is properly configured to send these security headers.

---

Supported Security Headers

Header	Purpose/Function
Content-Security-Policy (CSP)	Controls script, style, iframe loading policy (XSS, skimming, MITM protection)
Content-Security-Policy-Report-Only	CSP testing mode (sends violation reports without blocking)
Report-To	Defines endpoint for CSP violation reports
Reporting-Endpoints	Latest version for centralizing security reports (CSP, COOP, CORP, etc.)
Cross-Origin-Embedder-Policy (COEP)	Isolates resources and documents to prevent Spectre-like attacks
Cross-Origin-Opener-Policy (COOP)	Restricts cross-origin window communication
Cross-Origin-Resource-Policy (CORP)	Prevents cross-origin resources from being loaded by other domains
Origin-Agent-Cluster	Origin isolation in modern browsers
Strict-Transport-Security (HSTS)	Enforces HTTPS usage and prevents HTTP downgrade
Upgrade-Insecure-Requests	Forces browsers to convert HTTP requests to HTTPS
Permissions-Policy	Restricts browser APIs (e.g., geolocation, camera, microphone)
Referrer-Policy	Controls Referer information exposed in outgoing requests
X-Frame-Options	Prevents site loading in malicious iframes (clickjacking protection)
X-Content-Type-Options	Prevents MIME sniffing attacks
X-XSS-Protection	Configures browser XSS filters
X-Permitted-Cross-Domain-Policies	Restricts Flash/Adobe data access

Configuration Example

During setup, select the header to configure ann assign the expected value:

Referrer-Policy

X-XSS-Protection

Permissions-Policy

X-Frame-Options

Strict-Transport-Security

strict-origin-when-cross-origin

1

geolocation=(self), camera=(), microphone=()

SAMEORIGIN

max-age=31536000; includeSubDomains