Security Headers Baseline

Q: How to fix common issues

- Serve every page over HTTPS and redirect HTTP to HTTPS so the final resolved URL is secure. - Add a Strict-Transport-Security response header (for example max-age=31536000; includeSubDomains) to enforce HTTPS on future visits. - Add a Content-Security-Policy header to control which sources of scripts, styles, and frames may load. - Set both headers — having only one reaches Partial, while both together reach Pass. - Configure these at your CDN, reverse proxy, or web-server layer so they apply site-wide. - Re-scan after deploying the headers to confirm HTTPS and both headers are detected.

Score Bands

Verdict	Condition
Pass	the final URL is served over HTTPS AND both the Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) response headers are present
Partial	the final URL is served over HTTPS AND exactly one of HSTS or CSP is present
Fail	the final URL is not HTTPS, OR it is HTTPS but both HSTS and CSP are missing

Verdict

Condition

Pass

the final URL is served over HTTPS AND both the Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) response headers are present

Partial

the final URL is served over HTTPS AND exactly one of HSTS or CSP is present

Fail

the final URL is not HTTPS, OR it is HTTPS but both HSTS and CSP are missing

Description

What this parameter measures

Does your site enforce a baseline of transport and content security? friendly4AI looks at the final resolved URL after redirects to confirm it is served over HTTPS, then inspects the HTTP response headers for two security headers: Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP). This is a presence-only check. The scanner confirms each header exists and is non-empty, but it does not parse or validate the header's value (for example, it does not check the HSTS max-age or the CSP directives).

Why it matters for AI-readiness

A secure baseline signals an actively maintained, trustworthy site, which matters to AI systems and the operators behind them. HTTPS protects content integrity in transit so AI crawlers fetch what you actually published; HSTS prevents downgrade attacks and forces secure connections; CSP constrains what runs on the page. Sites that fail the basics read as neglected or risky, and a missing HTTPS lock can reduce both crawler trust and human conversion.

How we score it

Under the v4.4 methodology, this Discovery parameter scores in three tiers based on HTTPS plus two headers. A site passes (100) when the final URL is HTTPS and both Strict-Transport-Security and Content-Security-Policy headers are present. It earns a partial (50) when the final URL is HTTPS and exactly one of the two headers is present. It fails (0) when the final URL is not HTTPS, or when it is HTTPS but both headers are missing. Because the check is presence-only, a header with a weak or even malformed value still counts as present — the rubric rewards having the header in place, not the quality of its configuration.

How to fix common issues

Serve every page over HTTPS and redirect HTTP to HTTPS so the final resolved URL is secure.
Add a Strict-Transport-Security response header (for example max-age=31536000; includeSubDomains) to enforce HTTPS on future visits.
Add a Content-Security-Policy header to control which sources of scripts, styles, and frames may load.
Set both headers — having only one reaches Partial, while both together reach Pass.
Configure these at your CDN, reverse proxy, or web-server layer so they apply site-wide.
Re-scan after deploying the headers to confirm HTTPS and both headers are detected.

Score Bands

Verdict	Condition
Pass	the final URL is served over HTTPS AND both the Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) response headers are present
Partial	the final URL is served over HTTPS AND exactly one of HSTS or CSP is present
Fail	the final URL is not HTTPS, OR it is HTTPS but both HSTS and CSP are missing

Verdict

Condition

Pass

the final URL is served over HTTPS AND both the Strict-Transport-Security (HSTS) and Content-Security-Policy (CSP) response headers are present

Partial

the final URL is served over HTTPS AND exactly one of HSTS or CSP is present

Fail

the final URL is not HTTPS, OR it is HTTPS but both HSTS and CSP are missing

Description

What this parameter measures

Why it matters for AI-readiness

How we score it

How to fix common issues

Serve every page over HTTPS and redirect HTTP to HTTPS so the final resolved URL is secure.
Add a Strict-Transport-Security response header (for example max-age=31536000; includeSubDomains) to enforce HTTPS on future visits.
Add a Content-Security-Policy header to control which sources of scripts, styles, and frames may load.
Set both headers — having only one reaches Partial, while both together reach Pass.
Configure these at your CDN, reverse proxy, or web-server layer so they apply site-wide.
Re-scan after deploying the headers to confirm HTTPS and both headers are detected.

Signal Source

Score Bands

Description

What this parameter measures

Why it matters for AI-readiness

How we score it

How to fix common issues

Version History

Key takeaways

Security Headers Baseline

Signal Source

Score Bands

Description

What this parameter measures

Why it matters for AI-readiness

How we score it

How to fix common issues

Version History

Key takeaways

Signal Source

Score Bands

Description

What this parameter measures

Why it matters for AI-readiness

How we score it

How to fix common issues

Version History

Key takeaways

Related Parameters

Signal Source

Score Bands

Description

What this parameter measures

Why it matters for AI-readiness

How we score it

How to fix common issues

Version History

Key takeaways

Related Parameters