trendmicro.com

https://www.trendmicro.com/en_us/business.html · status 200 · checked 5/14/2026, 11:57:15 PM · 829ms

followed 2 redirects: 301 trendmicro.com/ → 301 www.trendmicro.com/ → 200 www.trendmicro.com/en_us/business.html → 200

Major gaps in defensive headers.

Warnings

No HSTS header AND not on the HSTS preload list. Browsers will not enforce HTTPS on first visit.
CSP includes 'unsafe-inline'. This negates most of the XSS protection from CSP.
CSP includes 'unsafe-eval'. Removes a layer of defense against script injection.

Strict-Transport-Security

missing

Strict-Transport-Security header is not set, and the domain is not on the HSTS preload list.

Content-Security-Policy

weak

default-src 'self' 'unsafe-inline' 'unsafe-eval' http: https: data: blob: wss: mediastream: android-webview-video-poster: ms-appx-web: gsa: endlesspic: ms-browser-extension chrome-extension asset * ; frame-ancestors 'self' https://*.trendmicro.com https://resources.trendmicro.com

default-srcpresentframe-ancestorspresent'unsafe-inline'present'unsafe-eval'present

All directives (2)

default-src'self' 'unsafe-inline' 'unsafe-eval' http: https: data: blob: wss: mediastream: android-webview-video-poster: ms-appx-web: gsa: endlesspic: ms-browser-extension chrome-extension asset *
frame-ancestors'self' https://*.trendmicro.com https://resources.trendmicro.com

'unsafe-inline' weakens script and style restrictions.

X-Frame-Options

good

SAMEORIGIN

X-Content-Type-Options

good

nosniff

Referrer-Policy

missing

Referrer-Policy header is not set.

Permissions-Policy

missing

Permissions-Policy header is not set.

Cross-Origin-Opener-Policy

missing

Cross-Origin-Opener-Policy header is not set.

Cross-Origin-Embedder-Policy

missing

Cross-Origin-Embedder-Policy header is not set.

Cross-Origin-Resource-Policy

missing

Cross-Origin-Resource-Policy header is not set.

Server disclosure

Server: nginx
X-Powered-By: (not exposed)

Recommendations

Add Strict-Transport-Security: max-age=31536000; includeSubDomains; preload, then submit to hstspreload.org.
Add Referrer-Policy: strict-origin-when-cross-origin to limit referrer leaks.
Add Permissions-Policy to disable browser features you do not need (camera, microphone, geolocation, etc.).

Auto-fix: copy these headers into your server config

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# After 30+ days at this max-age with includeSubDomains, submit at hstspreload.org.
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
# Disables features you almost certainly do not need. Add features back inside the parens if your site does need them.

Add inside the server { ... } block (or location / for path-scoped).
Reload with `nginx -s reload` after editing. Use `always` so headers are sent on error responses too.

AI-assisted remediation

Want a tailored fix plan in plain English?

Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to trendmicro.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.

ProSee Pro plans→

Check another domain

Or share this URL with the team that owns the records.