Security
· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.FSecurity HeadersAction2 of 10 headers properly configuredFIX
Strict-Transport-Security forces browsers to use HTTPS, preventing downgrade attacks. Add the header with a max-age of at least 1 year.
max-age=31536000; includeSubDomainsWithout HSTS, a network attacker can downgrade the very first connection to HTTP and steal the user's session.
Learn more ▾ ▴
HSTS tells browsers 'never speak HTTP to this domain again.' Without it, a network attacker (public WiFi, malicious ISP, hostile DNS) intercepts the first HTTP attempt and serves a downgraded version of your site. One header, big surface reduction.
Source: RFC 6797 / OWASP
This header prevents MIME-type sniffing, which can lead to XSS attacks. Set it to 'nosniff'.
nosniffMIME sniffing lets browsers run uploaded files as JavaScript, turning a file upload into an XSS.
Learn more ▾ ▴
Setting X-Content-Type-Options: nosniff tells browsers to trust your declared Content-Type instead of guessing. Without it, an attacker who uploads a polyglot file can sometimes get it executed as a script. One header, no downside.
Source: OWASP / MDN
This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.
DENYWithout frame protection, your site can be embedded in a hostile page and used for clickjacking.
Learn more ▾ ▴
Clickjacking overlays your site under a transparent malicious page so users click invisible buttons. Setting X-Frame-Options: DENY (or a modern frame-ancestors CSP directive) blocks the embedding entirely. There's almost never a legitimate reason to allow it.
Source: OWASP / MDN
Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.
strict-origin-when-cross-originDefault browser behavior leaks full URLs (including query params and tokens) to every third-party resource — set a strict policy.
Learn more ▾ ▴
Without a Referrer-Policy header, browsers send the full referring URL with images, scripts, and fonts loaded from third-party origins. URLs containing tokens, user IDs, or session params end up in third-party logs. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter) to limit leakage.
Source: MDN / W3C
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
geolocation=(), camera=(), microphone=()Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.
Learn more ▾ ▴
By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.
Source: MDN / W3C
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
same-originCOOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
require-corpCOEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
This header discloses server technology (e.g. Express, PHP), helping attackers target known vulnerabilities. Remove it.
X-Powered-By: PHP/7.4.3 advertises your stack to attackers — disable it.
Learn more ▾ ▴
X-Powered-By and similar headers (X-AspNet-Version, X-Runtime) tell attackers which versions to target. Disable in your server/framework config: PHP `expose_php=Off`, ASP.NET `<httpRuntime enableVersionHeader="false">`, Express `app.disable('x-powered-by')`.
Source: OWASP
FSubresource IntegrityAction0 of 1 external resources have SRIFIX
| Tag | Domain | Integrity |
|---|---|---|
| <script> | www.googletagmanager.com | ✗ Missing |
DPermissions-PolicyActionNo header setFIX
No Permissions-Policy header set.
Without this header, embedded iframes can request access to sensitive device features.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
Dsecurity.txtActionNo /.well-known/security.txt publishedFIX
security.txt
No security.txt found at /.well-known/security.txt
BCORS ConfigurationNo CORS headersREVIEW
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
BTransport SecurityHTTP/3, HSTS, and TLS version analysisREVIEW
AContent Security Policy7 of 10 CSP checks passedPASS
form-action restricts where forms can submit data, preventing form hijacking.
form-action 'self'Security gaps expose your site and users to attacks, eroding trust.
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
upgrade-insecure-requestsWithout upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.
Learn more ▾ ▴
Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.
Source: MDN CSP
Parsed Policy
A+TLS & CertificatesTLS 1.3, 7 checks passedPASS
HTTP/2 provides multiplexing and header compression for better performance.
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Certificate Chain
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✓ Not found | Security Policy | — |