Security Headers Baseline
stableCategory: technical-seo · Methodology v4.5
friendly4AI follows the redirect chain to the final resolved URL and confirms it is served over HTTPS.
Signal Source
- Source
https://{domain}- Kind
- http_headers
Score Bands
| Verdict | Condition |
|---|---|
| Pass | the final URL is served over HTTPS AND both the Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) response headers are present |
| Partial | the final URL is served over HTTPS AND exactly one of HSTS or CSP is present |
| Fail | the final URL is not HTTPS, OR it is HTTPS but both HSTS and CSP are missing |
Description
Security Headers Baseline checks whether your site enforces basic transport and content security. To pass, the final resolved URL must be served over HTTPS and the response must carry both the Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) headers. friendly4AI awards a full pass (100) only when HTTPS and both headers are present.
What does this parameter check?
friendly4AI follows the redirect chain to the final resolved URL and confirms it is served over HTTPS. It then reads the HTTP response headers and looks for two of them: Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP).
It is a presence check, nothing more. The scanner verifies each header exists and is non-empty. It does not parse the value, so it never inspects the HSTS max-age or the individual CSP directives.
Why do security headers matter for AI-readiness?
A secure baseline tells AI systems, and the people running them, that the site is maintained and worth trusting. Each header earns that signal differently:
- HTTPS protects content integrity in transit, so AI crawlers fetch exactly what you published.
- HSTS blocks downgrade attacks and forces secure connections on return visits.
- CSP limits what is allowed to run on the page.
Miss these basics and the site reads as neglected or risky. A missing HTTPS lock costs you twice: less crawler trust, and fewer human conversions.
How is Security Headers Baseline scored?
Under the v4.5 methodology, this Discovery parameter scores in three tiers from HTTPS plus the two headers:
| Tier | Score | Condition |
|---|---|---|
| Pass | 100 | Final URL is HTTPS and both Strict-Transport-Security and Content-Security-Policy are present |
| Partial | 50 | Final URL is HTTPS and exactly one of HSTS or CSP is present |
| Fail | 0 | Final URL is not HTTPS, or it is HTTPS but both headers are missing |
Since the check only looks for presence, a header with a weak or even malformed value still counts. The rubric rewards having the header in place, not how well it is configured.
How do you fix Security Headers Baseline issues?
- Serve every page over HTTPS and redirect HTTP to HTTPS so the final resolved URL is secure.
- Add a
Strict-Transport-Securityresponse header (for examplemax-age=31536000; includeSubDomains) to enforce HTTPS on future visits. - Add a
Content-Security-Policyheader to control which sources of scripts, styles, and frames may load. - Set both headers. One alone reaches Partial; together they reach Pass.
- Configure them at your CDN, reverse proxy, or web-server layer so they apply across the whole site.
- Re-scan after you deploy the headers to confirm HTTPS and both headers are detected.
Related parameters
- HTTP Reachability — confirms the site responds and resolves to a working final URL.
- URL Stability — checks that URLs stay consistent across redirects.
- Sitemap Availability — verifies a discoverable XML sitemap.
Version History
- Introduced
- v4.0
- Last changed
- v4.5
Key takeaways
- Signal: https://{domain}
- Category: Technical SEO
- Passes when: the final URL is served over HTTPS AND both the Strict-Transport-Security (HS…