uhc.com

https://www.uhc.com/ · status 403 · checked 5/14/2026, 11:57:16 PM · 131ms

followed 1 redirect: 301 uhc.com/ → 403 www.uhc.com/ → 403

Severe gaps in defensive headers.

Warnings

No HSTS header AND not on the HSTS preload list. Browsers will not enforce HTTPS on first visit.
No Content-Security-Policy. The biggest single XSS mitigation is missing.
No X-Frame-Options or CSP frame-ancestors. Site can be embedded in a malicious iframe.

Strict-Transport-Security

missing

Strict-Transport-Security header is not set, and the domain is not on the HSTS preload list.

Content-Security-Policy

missing

Content-Security-Policy header is not set.

X-Frame-Options

missing

X-Frame-Options header is not set.

X-Content-Type-Options

missing

X-Content-Type-Options header is not set.

Referrer-Policy

missing

Referrer-Policy header is not set.

Permissions-Policy

missing

Permissions-Policy header is not set.

Cross-Origin-Opener-Policy

missing

Cross-Origin-Opener-Policy header is not set.

Cross-Origin-Embedder-Policy

missing

Cross-Origin-Embedder-Policy header is not set.

Cross-Origin-Resource-Policy

missing

Cross-Origin-Resource-Policy header is not set.

Server disclosure

Server: CloudFront
X-Powered-By: (not exposed)

Recommendations

Add Strict-Transport-Security: max-age=31536000; includeSubDomains; preload, then submit to hstspreload.org.
Start with a tight CSP, e.g. default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'. Iterate from there.
Add X-Frame-Options: DENY (or use CSP frame-ancestors).
Add X-Content-Type-Options: nosniff to stop MIME-sniffing-based attacks.
Add Referrer-Policy: strict-origin-when-cross-origin to limit referrer leaks.
Add Permissions-Policy to disable browser features you do not need (camera, microphone, geolocation, etc.).

Auto-fix: copy these headers into your server config

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# After 30+ days at this max-age with includeSubDomains, submit at hstspreload.org.
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;
# Tight starting policy. Iterate by inspecting CSP-Report-Only violations on a staging branch first.
add_header X-Frame-Options DENY always;
# Backstop for older browsers; CSP frame-ancestors handles modern ones.
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
# Disables features you almost certainly do not need. Add features back inside the parens if your site does need them.

Add inside the server { ... } block (or location / for path-scoped).
Reload with `nginx -s reload` after editing. Use `always` so headers are sent on error responses too.

AI-assisted remediation

Want a tailored fix plan in plain English?

Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to uhc.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.

ProSee Pro plans→

Check another domain

Or share this URL with the team that owns the records.