Security headers, compression, caching, and TLS — validated.

Security Headers Audit

Security headers tell browsers how to handle your content safely. Missing headers leave your site vulnerable to clickjacking, MIME sniffing, XSS, and data interception. HSTS ensures HTTPS enforcement, CSP prevents script injection, and X-Content-Type-Options stops MIME sniffing attacks. Beyond security, proper compression and caching headers directly impact page speed and server costs. EchoBat checks every response for security, compression, and caching configuration.

How It Works

EchoBat's crawler records all HTTP response headers for every page. The Server Health lens then checks each response against security best practices: missing headers are flagged, weak configurations are identified, and cookie attributes are validated. Issues are grouped by type (security headers, compression, cache, cookies, TLS) and ranked by severity. Mixed content warnings (HTTP resources on HTTPS pages) are detected from HTML analysis.

Proof Returned in the Report

Every Security Headers Audit finding is tied to crawl evidence: affected URLs, the source signal, severity, score impact, and the next action exposed in the portal, CLI JSON, and MCP tools.

Sample Evidence Fields

  • HSTS (Strict-Transport-Security): Ensures HTTPS is enforced with proper max-age, includeSubDomains, and preload directives.
  • Content-Security-Policy: Validates CSP headers to prevent cross-site scripting and code injection attacks.
  • X-Content-Type-Options: Checks for nosniff directive that prevents MIME type confusion attacks.

Why It Matters

  • Catch security misconfigurations before they become vulnerabilities
  • Full-site coverage — not just the homepage
  • Compression and caching checks save bandwidth and improve performance
  • Cookie security audit prevents session hijacking vectors