{ "url": "https://github.com", "scanned_at": "2026-06-17T20:15:30.225Z", "grade": "B+", "cors": { "enabled": false, "allow_origin": null, "allow_credentials": false, "allow_methods": [], "allow_headers": [], "expose_headers": [], "max_age": null, "preflight_status": 404, "vary_origin": false, "issues": [ { "severity": "info", "code": "NO_CORS_HEADERS", "message": "No CORS headers present. Cross-origin requests from browsers will be blocked.", "fix": "If you intend to allow cross-origin access, set the Access-Control-Allow-Origin header.", "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS" }, { "severity": "high", "code": "PREFLIGHT_FAILED", "message": "Preflight (OPTIONS) returned 404. Browsers require a 2xx response.", "fix": "Ensure your server responds to OPTIONS requests with a 200 or 204 status and the appropriate CORS headers.", "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests" } ] }, "csp": { "present": true, "mode": "enforce", "raw": "default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net productionresultssa4.blob.core.windows.net productionresultssa5.blob.core.windows.net productionresultssa6.blob.core.windows.net productionresultssa7.blob.core.windows.net productionresultssa8.blob.core.windows.net productionresultssa9.blob.core.windows.net productionresultssa10.blob.core.windows.net productionresultssa11.blob.core.windows.net productionresultssa12.blob.core.windows.net productionresultssa13.blob.core.windows.net productionresultssa14.blob.core.windows.net productionresultssa15.blob.core.windows.net productionresultssa16.blob.core.windows.net productionresultssa17.blob.core.windows.net productionresultssa18.blob.core.windows.net productionresultssa19.blob.core.windows.net github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com edge.fullstory.com rs.fullstory.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com www.youtube-nocookie.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com user-images.githubusercontent.com private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com explore-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com images.ctfassets.net/8aevphvgewt8/; manifest-src 'self'; media-src github.com user-images.githubusercontent.com secured-user-images.githubusercontent.com private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com assets.ctfassets.net/8aevphvgewt8/ videos.ctfassets.net/8aevphvgewt8/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/", "parsed": { "default-src": [ "'none'" ], "base-uri": [ "'self'" ], "child-src": [ "github.githubassets.com", "github.com/assets-cdn/worker/", "github.com/assets/", "gist.github.com/assets-cdn/worker/" ], "connect-src": [ "'self'", "uploads.github.com", "www.githubstatus.com", "collector.github.com", "raw.githubusercontent.com", "api.github.com", "github-cloud.s3.amazonaws.com", "github-production-repository-file-5c1aeb.s3.amazonaws.com", "github-production-upload-manifest-file-7fdce7.s3.amazonaws.com", "github-production-user-asset-6210df.s3.amazonaws.com", "*.rel.tunnels.api.visualstudio.com", "wss://*.rel.tunnels.api.visualstudio.com", "github.githubassets.com", "objects-origin.githubusercontent.com", "copilot-proxy.githubusercontent.com", "proxy.individual.githubcopilot.com", "proxy.business.githubcopilot.com", "proxy.enterprise.githubcopilot.com", "*.actions.githubusercontent.com", "wss://*.actions.githubusercontent.com", "productionresultssa0.blob.core.windows.net", "productionresultssa1.blob.core.windows.net", "productionresultssa2.blob.core.windows.net", "productionresultssa3.blob.core.windows.net", "productionresultssa4.blob.core.windows.net", "productionresultssa5.blob.core.windows.net", "productionresultssa6.blob.core.windows.net", "productionresultssa7.blob.core.windows.net", "productionresultssa8.blob.core.windows.net", "productionresultssa9.blob.core.windows.net", "productionresultssa10.blob.core.windows.net", "productionresultssa11.blob.core.windows.net", "productionresultssa12.blob.core.windows.net", "productionresultssa13.blob.core.windows.net", "productionresultssa14.blob.core.windows.net", "productionresultssa15.blob.core.windows.net", "productionresultssa16.blob.core.windows.net", "productionresultssa17.blob.core.windows.net", "productionresultssa18.blob.core.windows.net", "productionresultssa19.blob.core.windows.net", "github-production-repository-image-32fea6.s3.amazonaws.com", "github-production-release-asset-2e65be.s3.amazonaws.com", "insights.github.com", "wss://alive.github.com", "wss://alive-staging.github.com", "api.githubcopilot.com", "api.individual.githubcopilot.com", "api.business.githubcopilot.com", "api.enterprise.githubcopilot.com", "edge.fullstory.com", "rs.fullstory.com" ], "font-src": [ "github.githubassets.com" ], "form-action": [ "'self'", "github.com", "gist.github.com", "copilot-workspace.githubnext.com", "objects-origin.githubusercontent.com" ], "frame-ancestors": [ "'none'" ], "frame-src": [ "viewscreen.githubusercontent.com", "notebooks.githubusercontent.com", "www.youtube-nocookie.com" ], "img-src": [ "'self'", "data:", "blob:", "github.githubassets.com", "media.githubusercontent.com", "camo.githubusercontent.com", "identicons.github.com", "avatars.githubusercontent.com", "private-avatars.githubusercontent.com", "github-cloud.s3.amazonaws.com", "objects.githubusercontent.com", "release-assets.githubusercontent.com", "secured-user-images.githubusercontent.com", "user-images.githubusercontent.com", "private-user-images.githubusercontent.com", "opengraph.githubassets.com", "marketplace-screenshots.githubusercontent.com", "copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/", "github-production-user-asset-6210df.s3.amazonaws.com", "customer-stories-feed.github.com", "spotlights-feed.github.com", "explore-feed.github.com", "objects-origin.githubusercontent.com", "*.githubusercontent.com", "images.ctfassets.net/8aevphvgewt8/" ], "manifest-src": [ "'self'" ], "media-src": [ "github.com", "user-images.githubusercontent.com", "secured-user-images.githubusercontent.com", "private-user-images.githubusercontent.com", "github-production-user-asset-6210df.s3.amazonaws.com", "gist.github.com", "github.githubassets.com", "assets.ctfassets.net/8aevphvgewt8/", "videos.ctfassets.net/8aevphvgewt8/" ], "script-src": [ "github.githubassets.com" ], "style-src": [ "'unsafe-inline'", "github.githubassets.com" ], "upgrade-insecure-requests": [], "worker-src": [ "github.githubassets.com", "github.com/assets-cdn/worker/", "github.com/assets/", "gist.github.com/assets-cdn/worker/" ] }, "grade": "A", "issues": [], "missing_directives": [] }, "security_headers": { "grade": "C", "headers": { "strict-transport-security": { "present": true, "value": "max-age=31536000; includeSubdomains; preload", "issues": [], "preload_eligible": true }, "x-frame-options": { "present": true, "value": "deny", "issues": [] }, "x-content-type-options": { "present": true, "value": "nosniff", "issues": [] }, "referrer-policy": { "present": true, "value": "origin-when-cross-origin, strict-origin-when-cross-origin", "issues": [] }, "permissions-policy": { "present": false, "value": null, "issues": [ { "severity": "info", "code": "NO_PERMISSIONS_POLICY", "message": "No Permissions-Policy header. Browser features like camera, microphone, and geolocation use default permissions.", "fix": "Add Permissions-Policy: camera=(), microphone=(), geolocation=() to restrict sensitive features.", "mdn": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy" } ], "recommendation": "camera=(), microphone=(), geolocation=()" }, "content-security-policy": { "present": true, "value": "default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net productionresultssa4.blob.core.windows.net productionresultssa5.blob.core.windows.net productionresultssa6.blob.core.windows.net productionresultssa7.blob.core.windows.net productionresultssa8.blob.core.windows.net productionresultssa9.blob.core.windows.net productionresultssa10.blob.core.windows.net productionresultssa11.blob.core.windows.net productionresultssa12.blob.core.windows.net productionresultssa13.blob.core.windows.net productionresultssa14.blob.core.windows.net productionresultssa15.blob.core.windows.net productionresultssa16.blob.core.windows.net productionresultssa17.blob.core.windows.net productionresultssa18.blob.core.windows.net productionresultssa19.blob.core.windows.net github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com edge.fullstory.com rs.fullstory.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com www.youtube-nocookie.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com user-images.githubusercontent.com private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com explore-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com images.ctfassets.net/8aevphvgewt8/; manifest-src 'self'; media-src github.com user-images.githubusercontent.com secured-user-images.githubusercontent.com private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com assets.ctfassets.net/8aevphvgewt8/ videos.ctfassets.net/8aevphvgewt8/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/", "issues": [] }, "cross-origin-opener-policy": { "present": false, "value": null, "issues": [], "recommendation": "same-origin" }, "cross-origin-embedder-policy": { "present": false, "value": null, "issues": [], "recommendation": "credentialless" }, "cross-origin-resource-policy": { "present": false, "value": null, "issues": [], "recommendation": "same-origin" } }, "conflicts": [], "score": 65, "max_score": 100 }, "redirect_chain": { "hops": 1, "loop_detected": false, "mixed_content": false, "chain": [ { "url": "https://github.com", "status": 200, "location": null, "timing_ms": 53, "headers_summary": { "server": "cloudflare", "strict-transport-security": "max-age=31536000; includeSubdomains; preload", "x-frame-options": "deny", "x-content-type-options": "nosniff", "referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin", "content-security-policy": "default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net productionresultssa4.blob.core.windows.net productionresultssa5.blob.core.windows.net productionresultssa6.blob.core.windows.net productionresultssa7.blob.core.windows.net productionresultssa8.blob.core.windows.net productionresultssa9.blob.core.windows.net productionresultssa10.blob.core.windows.net productionresultssa11.blob.core.windows.net productionresultssa12.blob.core.windows.net productionresultssa13.blob.core.windows.net productionresultssa14.blob.core.windows.net productionresultssa15.blob.core.windows.net productionresultssa16.blob.core.windows.net productionresultssa17.blob.core.windows.net productionresultssa18.blob.core.windows.net productionresultssa19.blob.core.windows.net github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com edge.fullstory.com rs.fullstory.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com www.youtube-nocookie.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com user-images.githubusercontent.com private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com explore-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com images.ctfassets.net/8aevphvgewt8/; manifest-src 'self'; media-src github.com user-images.githubusercontent.com secured-user-images.githubusercontent.com private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com assets.ctfassets.net/8aevphvgewt8/ videos.ctfassets.net/8aevphvgewt8/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/", "cache-control": "max-age=0, private, must-revalidate", "content-type": "text/html; charset=utf-8", "cf-cache-status": "DYNAMIC", "vary": "X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept-Language, Sec-Fetch-Site,Accept-Encoding, Accept, X-Requested-With" }, "hsts": "max-age=31536000; includeSubdomains; preload" } ], "issues": [], "total_time_ms": 53 }, "cache": { "cache_control": "max-age=0, private, must-revalidate", "parsed": { "max-age": 0, "private": true, "must-revalidate": true }, "effective_ttl": 0, "vary": [ "X-PJAX", "X-PJAX-Container", "Turbo-Visit", "Turbo-Frame", "X-Requested-With", "Accept-Language", "Sec-Fetch-Site", "Accept-Encoding", "Accept", "X-Requested-With" ], "cdn_status": "DYNAMIC", "cdn_provider": "Cloudflare", "issues": [], "explanation": "Cached by the browser only (not shared caches like CDNs). Must revalidate with the server once stale." }, "tls": { "version": null, "details": "→ certs.lol/github.com" }, "_meta": { "version": "1.0.0", "scan_time_ms": 155, "cache_hit": false, "cache_ttl": 3600, "docs": "https://xhttp.lol/api/docs", "tls_report": "https://certs.lol/github.com", "dns_report": "https://ns.lol/github.com", "full_report": "https://yoke.lol/github.com" } }