# Web security playground

View this page in various browsers to observe how they handle different aspects of web security. Most browsers include development tools that will allow you to inspect various aspects of your browser’s behavior.

## HTTPS Strict Transport Security

This web server makes use of HTTPS Strict Transport Security. You should find that it provides a Strict-Transport-Security field in its response headers.

## Mixed passive content

The following image is fetched using HTTP. Many browsers will log to their console the presence of mixed passive content, and they might indicate this with a broken security lock.

Source:
<img src="http://nacl.cr.yp.to/cace-logo-25.png"/>

## Mixed active content

The following “script” is fetched using HTTP. Many browsers will refuse to load this mixed active content, and many will log this refusal to their console.

<script src="http://cr.yp.to/"></script>

<script>
document.cookie = "name4=val4; Path=/; SameSite=None; Secure"
</script>