From 0a7aff701ee1b3924f7233bbad13c6cfdbef0294 Mon Sep 17 00:00:00 2001
From: potato-20 <myank2082@gmail.com>
Date: Sat, 6 Jun 2026 16:27:55 +0530
Subject: [PATCH] Report additional modern security headers as INFO

Adds X-Permitted-Cross-Domain-Policies (already highlighted in emphasize_stuff_in_headers() but never reported), Origin-Agent-Cluster, Document-Policy, Clear-Site-Data, Reporting-Endpoints, Report-To and NEL to run_security_headers(), all presence-only/INFO, matching how COOP/COEP/CORP were added in #2619.
---
 testssl.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index fbf4a8f..f43bdea 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -3609,7 +3609,14 @@ run_security_headers() {
                              "Referrer-Policy INFO" \
                              "X-UA-Compatible INFO" \
                              "Cache-Control INFO" \
-                             "Pragma INFO"; do
+                             "Pragma INFO" \
+                             "X-Permitted-Cross-Domain-Policies INFO" \
+                             "Origin-Agent-Cluster INFO" \
+                             "Document-Policy INFO" \
+                             "Clear-Site-Data INFO" \
+                             "Reporting-Endpoints INFO" \
+                             "Report-To INFO" \
+                             "NEL INFO"; do
           read header svrty <<< "${header_and_svrty}"
           [[ "$DEBUG" -ge 5 ]] &&  echo "testing \"$header\" (severity \"$svrty\")"
           match_httpheader_key "$header" "$header" "$spaces" "$first"