salesforce.com

https://www.salesforce.com/?bc=DB · status 200 · checked 5/14/2026, 11:57:45 PM · 175ms

followed 2 redirects: 301 salesforce.com/ → 302 www.salesforce.com/ → 200 www.salesforce.com/ → 200

Major gaps in defensive headers.

Warnings

HSTS max-age=86400 is shorter than the 6-month minimum for HSTS preload.
No Content-Security-Policy. The biggest single XSS mitigation is missing.

Strict-Transport-Security

preload listedweak

max-age: 86400
includeSubDomains: no
preload: no

max-age=86400

max-age=86400 is shorter than 6 months (15768000s).
includeSubDomains not set.
Domain is on the HSTS preload list (via salesforce.com).

Content-Security-Policy

missing

Content-Security-Policy header is not set.

X-Frame-Options

good

SAMEORIGIN

X-Content-Type-Options

good

nosniff

Referrer-Policy

good

strict-origin-when-cross-origin

Permissions-Policy

missing

Permissions-Policy header is not set.

Cross-Origin-Opener-Policy

missing

Cross-Origin-Opener-Policy header is not set.

Cross-Origin-Embedder-Policy

missing

Cross-Origin-Embedder-Policy header is not set.

Cross-Origin-Resource-Policy

missing

Cross-Origin-Resource-Policy header is not set.

Server disclosure

Server: (not exposed)
X-Powered-By: (not exposed)

Recommendations

Add includeSubDomains to HSTS so subdomains are also forced to HTTPS.
Once includeSubDomains and a long max-age are stable, submit to the HSTS preload list at hstspreload.org.
Start with a tight CSP, e.g. default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'. Iterate from there.
Add Permissions-Policy to disable browser features you do not need (camera, microphone, geolocation, etc.).

Auto-fix: copy these headers into your server config

add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;
# Tight starting policy. Iterate by inspecting CSP-Report-Only violations on a staging branch first.
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
# Disables features you almost certainly do not need. Add features back inside the parens if your site does need them.

Add inside the server { ... } block (or location / for path-scoped).
Reload with `nginx -s reload` after editing. Use `always` so headers are sent on error responses too.

AI-assisted remediation

Want a tailored fix plan in plain English?

Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to salesforce.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.

ProSee Pro plans→

Check another domain

Or share this URL with the team that owns the records.