Fetching response headers and parsing CSP, HSTS, and friends...
Fetching response headers and parsing CSP, HSTS, and friends...
Security headers for
https://www.ft.com/ · status 403 · checked 5/14/2026, 11:57:06 PM · 65ms
followed 1 redirect: 301 ft.com/ → 403 www.ft.com/ → 403
Functional. A few headers missing or weak.
max-age=63072000; includeSubDomains; preload
SAMEORIGIN
nosniff
strict-origin-when-cross-origin
accelerometer=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=(),xr-spatial-tracking=(self)
same-origin
require-corp
same-origin
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always; # Tight starting policy. Iterate by inspecting CSP-Report-Only violations on a staging branch first.
AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to ft.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
Or share this URL with the team that owns the records.