Security Metrics
PerfLeaf checks each page for common web security best practices during every scan.
What’s checked
Section titled “What’s checked”| Check | Description |
|---|---|
| HTTPS | Whether the page is served over a secure connection |
| Mixed content | Whether any HTTP resources are loaded on an HTTPS page |
| CSP | Whether a Content-Security-Policy header is present and configured |
| HSTS | Whether Strict-Transport-Security is set |
| X-Content-Type-Options | Whether nosniff is set to prevent MIME-type sniffing |
| X-Frame-Options | Whether clickjacking protection is in place |
| Referrer-Policy | Whether a referrer policy is configured |
Report view
Section titled “Report view”The Security Metrics card in the Site Report shows the overall security posture. Each check is shown as a pass/fail indicator.
At the page level, the Page Report shows per-page security results, which can differ across pages if your server configuration varies.
Scoring
Section titled “Scoring”Security is one of the six Performance Score categories. Each missing or misconfigured header reduces the security score.
Common fixes
Section titled “Common fixes”| Issue | Fix |
|---|---|
| Not using HTTPS | Obtain a TLS certificate (e.g. Let’s Encrypt) and redirect all HTTP to HTTPS |
| Missing CSP | Add a Content-Security-Policy header to your server or CDN configuration |
| Missing HSTS | Add Strict-Transport-Security: max-age=31536000; includeSubDomains |
| Missing X-Frame-Options | Add X-Frame-Options: DENY or SAMEORIGIN |
| Missing X-Content-Type-Options | Add X-Content-Type-Options: nosniff |
| Missing Referrer-Policy | Add Referrer-Policy: strict-origin-when-cross-origin |