HTTP Observatory Report: www.who.int

Score Rule                           Description
  -20 content-security-policy        Content Security Policy (CSP) implemented unsafely.
   -5 subresource-integrity          Subresource Integrity (SRI) not implemented, but all external scripts are loaded over HTTPS.
    0 x-content-type-options         X-Content-Type-Options header set to "nosniff".
    0 cross-origin-resource-sharing  Public content is visible via cross-origin resource sharing (CORS) Access-Control-Allow-Origin header.
    0 redirection                    Initial redirection is to HTTPS on same host, final destination is HTTPS.
    0 contribute                     Contribute.json isn't required on websites that don't belong to Mozilla.
    0 strict-transport-security      HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000).
    0 x-xss-protection               Deprecated X-XSS-Protection header set to "1; mode=block".
    0 referrer-policy                Referrer-Policy header set to "no-referrer-when-downgrade".
    5 cookies                        All cookies use the Secure flag, session cookies use the HttpOnly flag, and cross-origin restrictions are in place via the SameSite flag.
    5 x-frame-options                X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive.

Score: 75
Grade: B

Full Report Url: https://observatory.mozilla.org/analyze.html?host=www.who.int