This is a very general term.
This comes down to your enumeration capabilities
Can you find anything that is sensitive to that website?
- Credentials
- Backups
- Source code
- Anything else that you or the public/unauthenticated user shouldn't have access to
View the security headers obtained from the requests.
This includes:
- Strict-Transport-Security
- Referrer-Policy
- Feature-Policy
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- etc.