fidelity.com

https://www.fidelity.com/ · status 200 · checked 5/14/2026, 11:57:04 PM · 780ms

followed 1 redirect: 301 fidelity.com/ → 200 www.fidelity.com/ → 200

Major gaps in defensive headers.

Warnings

No Content-Security-Policy. The biggest single XSS mitigation is missing.

Strict-Transport-Security

good

max-age: 31536000
includeSubDomains: yes
preload: no

max-age=31536000; includeSubDomains

Content-Security-Policy

missing

Content-Security-Policy header is not set.

X-Frame-Options

good

SAMEORIGIN

X-Content-Type-Options

good

nosniff

Referrer-Policy

weak

no-referrer-when-downgrade

'no-referrer-when-downgrade' leaks referrer info more than recommended; prefer strict-origin-when-cross-origin.

Permissions-Policy

missing

Permissions-Policy header is not set.

Cross-Origin-Opener-Policy

missing

Cross-Origin-Opener-Policy header is not set.

Cross-Origin-Embedder-Policy

missing

Cross-Origin-Embedder-Policy header is not set.

Cross-Origin-Resource-Policy

missing

Cross-Origin-Resource-Policy header is not set.

Server disclosure

Server: Apache
X-Powered-By: (not exposed)

Recommendations

Once includeSubDomains and a long max-age are stable, submit to the HSTS preload list at hstspreload.org.
Start with a tight CSP, e.g. default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'. Iterate from there.
Add Permissions-Policy to disable browser features you do not need (camera, microphone, geolocation, etc.).

Auto-fix: copy these headers into your server config

add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;
# Tight starting policy. Iterate by inspecting CSP-Report-Only violations on a staging branch first.
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
# Disables features you almost certainly do not need. Add features back inside the parens if your site does need them.

Add inside the server { ... } block (or location / for path-scoped).
Reload with `nginx -s reload` after editing. Use `always` so headers are sent on error responses too.

AI-assisted remediation

Want a tailored fix plan in plain English?

Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to fidelity.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.

ProSee Pro plans→

Check another domain

Or share this URL with the team that owns the records.