forbes.com

https://www.forbes.com/ · status 200 · checked 5/14/2026, 11:57:55 PM · 55ms

followed 1 redirect: 301 forbes.com/ → 200 www.forbes.com/ → 200

Multiple headers missing or weak.

Warnings

CSP has no default-src or script-src.

Strict-Transport-Security

preload listedgood

max-age: 31536000
includeSubDomains: yes
preload: yes

max-age=31536000; includeSubDomains; preload

Domain is on the HSTS preload list (via forbes.com).

Content-Security-Policy

weak

upgrade-insecure-requests

default-srcabsentframe-ancestorsabsent'unsafe-inline'absent'unsafe-eval'absent

All directives (1)

upgrade-insecure-requests(empty)

No default-src or script-src directive.

X-Frame-Options

good

SAMEORIGIN

X-Content-Type-Options

missing

X-Content-Type-Options header is not set.

Referrer-Policy

good

strict-origin-when-cross-origin

Permissions-Policy

good

unload=()

Cross-Origin-Opener-Policy

missing

Cross-Origin-Opener-Policy header is not set.

Cross-Origin-Embedder-Policy

missing

Cross-Origin-Embedder-Policy header is not set.

Cross-Origin-Resource-Policy

missing

Cross-Origin-Resource-Policy header is not set.

Server disclosure

Server: istio-envoy
X-Powered-By: (not exposed)

Recommendations

Add X-Content-Type-Options: nosniff to stop MIME-sniffing-based attacks.

Auto-fix: copy these headers into your server config

add_header X-Content-Type-Options nosniff always;

Add inside the server { ... } block (or location / for path-scoped).
Reload with `nginx -s reload` after editing. Use `always` so headers are sent on error responses too.

AI-assisted remediation

Want a tailored fix plan in plain English?

Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to forbes.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.

ProSee Pro plans→

Check another domain

Or share this URL with the team that owns the records.