https://nu11cyber.com
Security
· 32 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.SCORE
98
GRADE
A+
FIX
0
REVIEW
1
PASS
31
INFO
0
Checks
3231 PASS 1 REVIEW
BCORS ConfigurationNo CORS headersREVIEW
CORS Configuration
No CORS headers
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration ✓ Secure
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
A+Security Headers10 of 10 headers properly configuredPASS
Security Headers
10 of 10 headers properly configured
10 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured
Got: max-age=31536000; includeSubDomains; preload
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Info::
Referrer-Policy is properly configured
Got: same-origin
Info::
Permissions-Policy is set
Got: camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=()
Info::
Content-Security-Policy is present
Got: default-src 'self'; script-src 'self' 'sha256-LwlyZ40NRTXa//NUj9jB46qFF2SwkODu0W…
Info::
Cross-Origin-Opener-Policy is properly configured
Got: same-origin
Info::
Cross-Origin-Embedder-Policy is set
Got: credentialless
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: cloudflare
Info::
Domain is not in the Chrome HSTS preload list (status: unknown)
Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).
Got: unknown
Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).
Why this matters
Not in the Chrome preload list — first-time visitors over plain HTTP can be downgraded by a network attacker before HSTS kicks in.
Learn more ▾ ▴
The HSTS header only protects users who have already visited the site (TOFU window). Adding your domain to the Chrome preload list closes that gap so HSTS is enforced from the very first connection. Requires a preload-ready header (max-age=31536000+, includeSubDomains, preload) then submission at hstspreload.org. Inclusion ships in the next Chrome release after acceptance.
Source: hstspreload.org
A+Content Security Policy9 of 11 CSP checks passedPASS
Content Security Policy
9 of 11 CSP checks passed
9 of 11 CSP checks passed
Info::
Raw CSP policy
Got: default-src 'self'; script-src 'self' 'sha256-LwlyZ40NRTXa//NUj9jB46qFF2SwkODu0WXpcXI2VL0=' https://images.dmca.com https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://github.com https://*.githubusercontent.com https://images.dmca.com https://beavercheck.com; font-src 'self'; connect-src 'self' https://static.cloudflareinsights.com; frame-ancestors 'self'; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests
Info::
default-src directive is set
Got: default-src 'self'
Info::
No 'unsafe-inline' in script source
Info::
No 'unsafe-eval' in script source
Info::
No wildcard in script source
Info::
object-src is set to 'none'
Got: object-src 'none'
Info::
base-uri is properly restricted
Got: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors 'self'
Info::
form-action directive is set
Got: form-action 'self'
Info::
upgrade-insecure-requests is enabled
Info::
Content-Security-Policy-Report-Only is also set
A report-only policy is active alongside the enforcing policy for monitoring.
Got: require-trusted-types-for 'script'; trusted-types default
A report-only policy is active alongside the enforcing policy for monitoring.
Why this matters
Running enforcing + Report-Only in parallel lets you test stricter directives safely before promoting them.
Source: MDN CSP
Parsed Policy
default-src 'self'
script-src 'self''sha256-LwlyZ40NRTXa//NUj9jB46qFF2SwkODu0WXpcXI2VL0='https://images.dmca.comhttps://static.cloudflareinsights.com
style-src 'self''unsafe-inline'
img-src 'self'data:blob:https://github.comhttps://*.githubusercontent.comhttps://images.dmca.comhttps://beavercheck.com
font-src 'self'
connect-src 'self'https://static.cloudflareinsights.com
frame-ancestors 'self'
frame-src 'none'
object-src 'none'
base-uri 'self'
form-action 'self'
upgrade-insecure-requests
A+TLS & CertificatesTLS 1.3, 7 checks passedPASS
TLS & Certificates
TLS 1.3, 7 checks passed
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_CHACHA20_POLY1305_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
OCSP stapling not enabled
Without stapling, the browser performs a separate OCSP roundtrip on first connection -- adding latency and leaking the visited host to the CA. Enable OCSP stapling on your TLS server.
Info::
Certificate is valid (expires in 87 days)
Got: 2026-08-26T04:24:54Z
Info::
Certificate chain has 2 certificates
Info::
Certificate uses modern signature algorithm
Got: ECDSA-SHA384
Info::
Certificate covers 2 domain(s)
Got: *.nu11cyber.com, nu11cyber.com
Info::
Certificate is issued by a trusted CA
Got: CN=E7,O=Let's Encrypt,C=US
HTTP/2 provides multiplexing and header compression for better performance.
Why this matters
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Without stapling, the browser performs a separate OCSP roundtrip on first connection -- adding latency and leaking the visited host to the CA. Enable OCSP stapling on your TLS server.
Why this matters
Without OCSP stapling, every first-time visitor pays an extra OCSP roundtrip — and the CA learns who's visiting your site.
Learn more ▾ ▴
OCSP stapling has the server fetch its own revocation status from the CA and attach the signed response to the TLS handshake. Without it, browsers contact the CA directly: extra latency for the user and a privacy leak (the CA sees who connected). Enable ssl_stapling on (nginx) / SSLUseStapling On (Apache) / OCSPStapling = on (Caddy auto-enables).
Source: RFC 6961 / Mozilla Server-Side TLS guide
Connection
Protocol
TLS 1.3
Cipher Suite
TLS_CHACHA20_POLY1305_SHA256
HTTP Version
HTTP/1.1
Certificate Chain
Leaf Certificate
Subject CN=nu11cyber.comIssuer CN=E7,O=Let's Encrypt,C=USValid 2026-05-28T04:24:55Z → 2026-08-26T04:24:54ZExpires in 87 days SANs *.nu11cyber.com, nu11cyber.comSignature ECDSA-SHA384Serial 691ae9aa38bb0f73ebb9f3262f815a5cdb7
Intermediate (CA Certificate)
Subject CN=E7,O=Let's Encrypt,C=USIssuer CN=ISRG Root X1,O=Internet Security Research Group,C=USValid 2024-03-13T00:00:00Z → 2027-03-12T23:59:59ZExpires in 286 days Signature SHA256-RSASerial aa75f1e62b8f0a220966d38bbfd4baa1
AWAF / Bot ProtectionCloudflarePASS
WAF / Bot Protection
Cloudflare
Cloudflare
Info::
Cloudflare detected
Detected via: cf-ray: a03bf4c73b17ce8b-SIN
Got: Cloudflare
A+security.txtVulnerability disclosure policyPASS
security.txt
Vulnerability disclosure policy
Vulnerability disclosure policy
Info::
security.txt found
Got: https://nu11cyber.com/.well-known/security.txt
security.txt
Contact: mailto:contact@nu11cyber.com
Expires: 2027-05-28T00:00:00.000Z
Policy: https://nu11cyber.com/.well-known/security.txt
A+Cross-Origin Tab SafetyNo new-tab links found -- no tabnabbing surfacePASS
Cross-Origin Tab Safety
No new-tab links found -- no tabnabbing surface
No new-tab links found -- no tabnabbing surface
Info::
No new-tab links present
A+CSP Inline-Style ReadinessNo inline style attributes -- strict CSP is feasiblePASS
CSP Inline-Style Readiness
No inline style attributes -- strict CSP is feasible
No inline style attributes -- strict CSP is feasible
Info::
No inline style attributes detected
A+Trusted Types (XSS Sink Hardening)Trusted Types in report-only mode -- rollout in progressPASS
Trusted Types (XSS Sink Hardening)
Trusted Types in report-only mode -- rollout in progress
Trusted Types in report-only mode -- rollout in progress
Info::
Trusted Types running in report-only mode -- enforcement rollout in progress
Got: require-trusted-types-for 'script'; trusted-types default
A+Bot Challenge DetectionScan reached real page content (no bot-protection interstitial)PASS
Bot Challenge Detection
Scan reached real page content (no bot-protection interstitial)
Scan reached real page content (no bot-protection interstitial)
Info::
No bot-protection interstitial detected -- the rest of the report reflects the real page
A+Soft-404 DetectionNo soft-404 patterns detected in page title or headingsPASS
Soft-404 Detection
No soft-404 patterns detected in page title or headings
No soft-404 patterns detected in page title or headings
Info::
No soft-404 patterns detected in page title or headings
A+Empty Page DetectionPage has substantive body text and no placeholder / template-leak signalsPASS
Empty Page Detection
Page has substantive body text and no placeholder / template-leak signals
Page has substantive body text and no placeholder / template-leak signals
Info::
Page has substantive body text and no placeholder / template-leak signals
A+Geo-Restriction DetectionNo geo-restriction signals detected -- scan reached the page from an allowed regionPASS
Geo-Restriction Detection
No geo-restriction signals detected -- scan reached the page from an allowed region
No geo-restriction signals detected -- scan reached the page from an allowed region
Info::
No geo-restriction detected
A+Maintenance Mode DetectionNo maintenance-mode signals detected -- scan reached a normal pagePASS
Maintenance Mode Detection
No maintenance-mode signals detected -- scan reached a normal page
No maintenance-mode signals detected -- scan reached a normal page
Info::
No maintenance-mode signals detected
A+Subresource Integrity Adoption100% SRI adoption (2/2 third-party resources)PASS
Subresource Integrity Adoption
100% SRI adoption (2/2 third-party resources)
100% SRI adoption (2/2 third-party resources)
Info::
SRI adoption: 2/2 third-party resources protected (100%)
Of 2 third-party `<script>` / `<link rel=stylesheet>` resources, 2 (100%) declare a Subresource Integrity hash via the `integrity=` attribute. SRI binds the page to the exact bytes of the third-party resource: if the CDN is compromised, attacker-modified bytes won't match the declared hash and the browser refuses to execute the resource.
Fix: add `integrity="sha384-..."` and `crossorigin="anonymous"` attributes. Generators: srihash.org, or in-browser via `await crypto.subtle.digest('SHA-384', bytes)`. Cache-bust the resource URL when you change versions, since the integrity hash will mismatch with old cached bytes.
Got: 100% (2/2)
A+CORS DepthNo CORS response headers -- the resource is same-origin-only by browser defaultPASS
CORS Depth
No CORS response headers -- the resource is same-origin-only by browser default
No CORS response headers -- the resource is same-origin-only by browser default
Info::
No CORS response headers -- the resource is same-origin-only by browser default
APermissions-Policy Granularity70% high-risk feature coverage (7/10)PASS
Permissions-Policy Granularity
70% high-risk feature coverage (7/10)
70% high-risk feature coverage (7/10)
Info::
Permissions-Policy covers 7/10 high-risk features (70%)
The Permissions-Policy header explicitly declares policies for 7/10 high-risk features.
Covered: camera, microphone, geolocation, payment, usb, accelerometer, gyroscope
Not declared (default-allow): serial, midi, magnetometer
The non-declared features fall back to their spec-default policy (usually `self`), which means an XSS-injected or compromised iframe could request them. For features the page genuinely doesn't use, declare `feature=()` to fully close them.
Got: 70% (7/10)
A+Referrer-Policy StrictnessReferrer-Policy is `same-origin` (strict -- Referer sent only on same-origin requests)PASS
Referrer-Policy Strictness
Referrer-Policy is `same-origin` (strict -- Referer sent only on same-origin requests)
Referrer-Policy is `same-origin` (strict -- Referer sent only on same-origin requests)
Info::
Referrer-Policy: `same-origin` -- strict -- Referer sent only on same-origin requests
Full URL Referer header on same-origin requests; no Referer at all on cross-origin. Strong privacy posture; same-origin analytics still work.
Got: same-origin
A+Source Map ExposureNo source maps accessible (probed 2 candidate URL(s))PASS
Source Map Exposure
No source maps accessible (probed 2 candidate URL(s))
No source maps accessible (probed 2 candidate URL(s))
Info::
No source maps accessible across 2 probed candidate(s)
A+HTML Version DisclosureNo software-version disclosures in HTMLPASS
HTML Version Disclosure
No software-version disclosures in HTML
No software-version disclosures in HTML
Info::
No software-version disclosures in HTML
A+Open Redirect SurfaceNo redirect-shaped query parameters in DOM linksPASS
Open Redirect Surface
No redirect-shaped query parameters in DOM links
No redirect-shaped query parameters in DOM links
Info::
No redirect-shaped query parameters in DOM links
A+Auth SecurityPage is not a login form -- auth-security checks are N/APASS
Auth Security
Page is not a login form -- auth-security checks are N/A
Page is not a login form -- auth-security checks are N/A
Info::
Page does not appear to be a login form
A+Subdomain Inventory ExposureNo risky subdomain names in certificate SANsPASS
Subdomain Inventory Exposure
No risky subdomain names in certificate SANs
No risky subdomain names in certificate SANs
Info::
No risky subdomain names in certificate SANs
A+Subresource Integrity2 of 2 external resources have SRIPASS
Subresource Integrity
2 of 2 external resources have SRI
2 of 2 external resources have SRI
Info::
script from images.dmca.com has SRI protection
Info::
script from static.cloudflareinsights.com has SRI protection
SRI Coverage 2 / 2 of external resources have integrity hashes
| Tag | Domain | Integrity |
|---|---|---|
| <script> | images.dmca.com | ✓ Protected |
| <script> | static.cloudflareinsights.com | ✓ Protected |
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
JS Library Vulnerabilities
No known vulnerabilities
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
Information Leakage
No exposures
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✗ Exposed | Security Policy | Info |
| /package.json | ✓ Not found | dependency-manifest | — |
| /composer.json | ✓ Not found | dependency-manifest | — |
| /Gemfile | ✓ Not found | dependency-manifest | — |
| /Gemfile.lock | ✓ Not found | dependency-manifest | — |
| /requirements.txt | ✓ Not found | dependency-manifest | — |
| /pom.xml | ✓ Not found | dependency-manifest | — |
| /.gitlab-ci.yml | ✓ Not found | ci-config | — |
| /.travis.yml | ✓ Not found | ci-config | — |
A+Email SecurityDMARC: reject, SPF: -all, DKIM, TLS-RPTPASS
Email Security
DMARC: reject, SPF: -all, DKIM, TLS-RPT
DMARC: reject, SPF: -all, DKIM, TLS-RPT
Info::
DMARC policy is reject — strongest protection
Info::
SPF ends in -all (hard fail) — strongest setting
Info::
DKIM configured (selectors: key, pm, mlsend2, mailgun, mxvault, protonmail2, google, selector1, key2, fm1, ed25519, sendgrid, s1024, s2, dkim, mandrill, protonmail, k1, fm2, smtpapi, scph1019, s1, scph0316, k2, smtp, scph0817, s2048, klaviyo1, everlytickey2, mlsend1, selector2, amazonses, fm3, klaviyo2, key1, protonmail3, zoho, default, everlytickey1, mail, mta, intercom)
Warning::
MTA-STS DNS record present but policy file missing
The _mta-sts TXT record exists but the policy file at the mta-sts subdomain is unreachable. Senders cannot enforce MTA-STS without both.
Info::
TLS-RPT configured
Got: mailto:contact@nu11cyber.com
Info::
BIMI not configured
BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.
DMARC
Policy reject — strongest protection Record v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:29e8d00869734f529c8aa5422fc21430@dmarc-reports.cloudflare.net;
The _mta-sts TXT record exists but the policy file at the mta-sts subdomain is unreachable. Senders cannot enforce MTA-STS without both.
Why this matters
MTA-STS is half-deployed — senders see the TXT record but can't fetch the policy, so enforcement falls back to opportunistic TLS.
Learn more ▾ ▴
Both halves are required: the _mta-sts TXT record (versioned policy ID) AND the policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Publish the policy file and verify it returns 200 with Content-Type: text/plain.
Source: RFC 8461 §3
BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.
Why this matters
Security gaps expose your site and users to attacks, eroding trust.
A+API SurfaceNo API specs or GraphQL introspection found (probed 11 candidate path(s))PASS
API Surface
No API specs or GraphQL introspection found (probed 11 candidate path(s))
No API specs or GraphQL introspection found (probed 11 candidate path(s))
Info::
No API specs or GraphQL introspection found (probed 11 path(s))
A+Permissions-Policy7 directives, 0 missingPASS
Permissions-Policy
7 directives, 0 missing
7 directives, 0 missing
Info::
camera=() — blocked for all origins
Info::
microphone=() — blocked for all origins
Info::
geolocation=() — blocked for all origins
Info::
payment=() — blocked for all origins
Info::
usb=() — blocked for all origins
Info::
accelerometer=() — blocked for all origins
Info::
gyroscope=() — blocked for all origins
Raw Header
camera=() microphone=() geolocation=() payment=() usb=() accelerometer=() gyroscope=()
Feature Permissions
Blocked Self Only Unrestricted Not Set
camera Blocked
microphone Blocked
geolocation Blocked
payment Blocked
usb Blocked
accelerometer Blocked
gyroscope Blocked
A+Transport SecurityHTTP/3, HSTS, and TLS version analysisPASS
Transport Security
HTTP/3, HSTS, and TLS version analysis
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) supported
The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.
Info::
HSTS enabled (includeSubDomains, preload)
Info::
HSTS preload enabled
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.