Skip to main content
friendly4AI LogoMaking websites AI-friendly - Your website optimization platform for AI systemsfriendly4AI
  • Product
  • Leaderboard
  • Pricing
  • Blog
Sign in
  1. Methodology
  2. ›
  3. Parameters
  4. ›
  5. Security Headers Baseline

Security Headers Baseline

stable

Category: technical-seo · Methodology v4.5

friendly4AI follows the redirect chain to the final resolved URL and confirms it is served over HTTPS.

Signal Source

Source
https://{domain}
Kind
http_headers

Score Bands

VerdictCondition
Passthe final URL is served over HTTPS AND both the Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) response headers are present
Partialthe final URL is served over HTTPS AND exactly one of HSTS or CSP is present
Failthe final URL is not HTTPS, OR it is HTTPS but both HSTS and CSP are missing

Description

Security Headers Baseline checks whether your site enforces basic transport and content security. To pass, the final resolved URL must be served over HTTPS and the response must carry both the Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) headers. friendly4AI awards a full pass (100) only when HTTPS and both headers are present.

What does this parameter check?

friendly4AI follows the redirect chain to the final resolved URL and confirms it is served over HTTPS. It then reads the HTTP response headers and looks for two of them: Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP).

It is a presence check, nothing more. The scanner verifies each header exists and is non-empty. It does not parse the value, so it never inspects the HSTS max-age or the individual CSP directives.

Why do security headers matter for AI-readiness?

A secure baseline tells AI systems, and the people running them, that the site is maintained and worth trusting. Each header earns that signal differently:

  • HTTPS protects content integrity in transit, so AI crawlers fetch exactly what you published.
  • HSTS blocks downgrade attacks and forces secure connections on return visits.
  • CSP limits what is allowed to run on the page.

Miss these basics and the site reads as neglected or risky. A missing HTTPS lock costs you twice: less crawler trust, and fewer human conversions.

How is Security Headers Baseline scored?

Under the v4.5 methodology, this Discovery parameter scores in three tiers from HTTPS plus the two headers:

| Tier | Score | Condition | |---|---|---| | Pass | 100 | Final URL is HTTPS and both Strict-Transport-Security and Content-Security-Policy are present | | Partial | 50 | Final URL is HTTPS and exactly one of HSTS or CSP is present | | Fail | 0 | Final URL is not HTTPS, or it is HTTPS but both headers are missing |

Since the check only looks for presence, a header with a weak or even malformed value still counts. The rubric rewards having the header in place, not how well it is configured.

How do you fix Security Headers Baseline issues?

  • Serve every page over HTTPS and redirect HTTP to HTTPS so the final resolved URL is secure.
  • Add a Strict-Transport-Security response header (for example max-age=31536000; includeSubDomains) to enforce HTTPS on future visits.
  • Add a Content-Security-Policy header to control which sources of scripts, styles, and frames may load.
  • Set both headers. One alone reaches Partial; together they reach Pass.
  • Configure them at your CDN, reverse proxy, or web-server layer so they apply across the whole site.
  • Re-scan after you deploy the headers to confirm HTTPS and both headers are detected.

Related parameters

  • HTTP Reachability — confirms the site responds and resolves to a working final URL.
  • URL Stability — checks that URLs stay consistent across redirects.
  • Sitemap Availability — verifies a discoverable XML sitemap.

Version History

Introduced
v4.0
Last changed
v4.5

Key takeaways

  • Signal: https://{domain}
  • Category: Technical SEO
  • Passes when: the final URL is served over HTTPS AND both the Strict-Transport-Security (HS…

Related Parameters

  • HTTP Reachability
  • Sitemap Availability
  • URL Stability

View full methodology changelog · All parameters · GEO/AEO glossary

Suggest a change to this parameter


friendly4AI LogoMaking websites AI-friendly - Your website optimization platform for AI systemsfriendly4AI

The starting point for making your website AI-friendly.

ai@friendly4.ai
ProductsGEO ScannerAI VisibilityMethodologyDemoLeaderboardHow we comparePricing
friendly4AIAbout usBlogFor developersQuickstartAPI referenceContact usFAQsGlossary
LegalTerms and ConditionsPrivacy PolicyAI usage policy
friendly4AI © 2026