Security Scanner · 12% weight
Your headers are your first line of defense
Most website security issues aren't exotic hacks — they're missing HTTP headers that take 5 minutes to add. BAZY checks every security header that matters.
Why this matters
Chrome now warns users about insecure sites. Missing security headers don't just risk attacks — they erode visitor trust and can hurt your search rankings.
What we check
- HTTPS — site uses TLS encryption (not plain HTTP)
- Strict-Transport-Security (HSTS) — prevents downgrade attacks
- X-Content-Type-Options: nosniff — prevents MIME type confusion
- X-Frame-Options or CSP frame-ancestors — prevents clickjacking
- Content-Security-Policy — controls which scripts can execute (XSS prevention)
- Referrer-Policy — controls what URL info leaks to third parties
- Permissions-Policy — restricts camera, microphone, geolocation access
- X-Powered-By removal — don't reveal your server technology
- Server header — don't expose detailed version info
- Mixed content — no HTTP resources loaded on HTTPS pages
Scoring
HTTPS is the heaviest check — without it, your score starts near zero. HSTS, X-Content-Type-Options, and clickjacking protection are the next tier. CSP and Permissions-Policy are important but less common, so they carry moderate weight.