Security - https://cepr.org BeaverCheck Audit

F

Subresource Integrity

Action

0 of 9 external resources have SRI

FIX

0 of 9 external resources have SRI

External link from use.typekit.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://use.typekit.net/oub2dog.css

External link from fonts.googleapis.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://fonts.googleapis.com/css2?family=Source+Serif+Pro:ital,wght@0,400;0,700;1,400;1,700&display=swap

External link from cdnjs.cloudflare.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://cdnjs.cloudflare.com/ajax/libs/magnific-popup.js/1.1.0/magnific-popup.min.css

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=G-78MFZJW65N&cx=c&gtm=4e64k1

External script from www.bugherd.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: //www.bugherd.com/sidebarv2.js?apikey=n55oqaersfxg8q7cixtwkg

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtm.js?id=GTM-PHC2J8R

External script from analytics.ahrefs.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://analytics.ahrefs.com/analytics.js

External script from cdnjs.cloudflare.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://cdnjs.cloudflare.com/ajax/libs/jquery-throttle-debounce/1.1/jquery.ba-throttle-debounce.min.js

External script from cdnjs.cloudflare.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://cdnjs.cloudflare.com/ajax/libs/svg4everybody/2.1.9/svg4everybody.min.js

SRI Coverage 0 / 9 of external resources have integrity hashes

Tag	Domain	Integrity
<link>	use.typekit.net	✗ Missing
<link>	fonts.googleapis.com	✗ Missing
<link>	cdnjs.cloudflare.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	www.bugherd.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	analytics.ahrefs.com	✗ Missing
<script>	cdnjs.cloudflare.com	✗ Missing
<script>	cdnjs.cloudflare.com	✗ Missing

D

Permissions-Policy

Action

No header set

FIX

No header set

No Permissions-Policy header

Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()

D

security.txt

Action

No /.well-known/security.txt published

FIX

security.txt

No security.txt found at /.well-known/security.txt

C

Security Headers

Action

6 of 10 headers properly configured

REVIEW

6 of 10 headers properly configured

HSTS max-age is too short (1000s, should be ≥ 31536000s)

A short max-age leaves a window for downgrade attacks. Set max-age to at least 31536000 (1 year).

Got: max-age=1000; includeSubDomains Expected: max-age=31536000; includeSubDomains

X-Content-Type-Options is properly configured

Got: nosniff

X-Frame-Options is properly configured

Got: SAMEORIGIN

Referrer-Policy is properly configured

Got: no-referrer

Permissions-Policy header is missing

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()

Content-Security-Policy is present

Got: default-src 'self'; connect-src 'self' https://www.paypal.com https://www.paypal…

Cross-Origin-Opener-Policy header is missing

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Cross-Origin-Embedder-Policy header is missing

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

X-Powered-By header is not present

Server header is present without version info

Got: cloudflare

A short max-age leaves a window for downgrade attacks. Set max-age to at least 31536000 (1 year).

Expected: max-age=31536000; includeSubDomains

Why this matters

Short HSTS max-age leaves a downgrade-attack window every time the cache expires — set ≥ 1 year.

Learn more ▾

max-age below 31536000 (1 year) is below industry recommendation. The browser forgets the HSTS policy and re-exposes first-visit downgrade attacks. Set to 63072000 (2 years) and add `includeSubDomains; preload` to qualify for the HSTS preload list.

Source: RFC 6797 / hstspreload.org

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()

Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more ▾

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more ▾

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more ▾

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

C

Content Security Policy

Action

5 of 11 CSP checks passed

REVIEW

5 of 11 CSP checks passed

Raw CSP policy

Got: default-src 'self'; connect-src 'self' https://www.paypal.com https://www.paypalobjects.com https://www.sandbox.paypal.com https://api-m.paypal.com https://api-m.sandbox.paypal.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://analytics.ahrefs.com https://www.bugherd.com https://api.bugherd.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.ahrefs.com https://*.bugherd.com https://syndication.twitter.com https://syndication.x.com https://www.instagram.com https://api.soundcloud.com https://*.sndcdn.com https://open.spotify.com https://*.audioboom.com; font-src 'self' https://use.typekit.net https://fonts.gstatic.com; frame-src 'self' https://www.paypal.com https://www.sandbox.paypal.com https://www.googletagmanager.com https://*.bugherd.com https://www.youtube.com https://www.youtube-nocookie.com https://player.vimeo.com https://platform.twitter.com https://syndication.twitter.com https://platform.x.com https://syndication.x.com https://www.instagram.com https://w.soundcloud.com https://open.spotify.com https://embeds.audioboom.com https://audioboom.com; img-src 'self' data: https://www.paypalobjects.com https://www.paypal.com https://www.googletagmanager.com https://www.google-analytics.com https://stats.g.doubleclick.net https://analytics.ahrefs.com https://*.google-analytics.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.ahrefs.com https://*.ytimg.com https://i.ytimg.com https://i.vimeocdn.com https://pbs.twimg.com https://abs.twimg.com https://*.twimg.com https://*.cdninstagram.com https://scontent.cdninstagram.com https://*.sndcdn.com https://i.scdn.co https://*.scdn.co https://images.theabcdn.com https://*.audioboom.com; media-src 'self' https://*.sndcdn.com https://*.audioboom.com https://*.googlevideo.com https://*.ytimg.com https://*.vimeocdn.com; object-src 'none'; script-src 'self' 'unsafe-inline' cdn.jsdelivr.net https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://js.stripe.com https://www.paypal.com https://www.paypalobjects.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.ahrefs.com https://www.bugherd.com https://*.googletagmanager.com https://*.google-analytics.com https://*.ahrefs.com https://*.bugherd.com https://www.youtube.com https://s.ytimg.com https://platform.twitter.com https://platform.x.com https://cdn.syndication.twimg.com https://www.instagram.com https://w.soundcloud.com https://widget.sndcdn.com https://open.spotify.com https://audioboom.com https://embeds.audioboom.com; style-src 'self' 'unsafe-inline' https://use.typekit.net https://fonts.googleapis.com https://p.typekit.net https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; base-uri 'none'

default-src directive is set

Got: default-src 'self'

'unsafe-inline' found in script source

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Got: script-src 'self' 'unsafe-inline' cdn.jsdelivr.net https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://js.stripe.com https://www.paypal.com https://www.paypalobjects.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.ahrefs.com https://www.bugherd.com https://*.googletagmanager.com https://*.google-analytics.com https://*.ahrefs.com https://*.bugherd.com https://www.youtube.com https://s.ytimg.com https://platform.twitter.com https://platform.x.com https://cdn.syndication.twimg.com https://www.instagram.com https://w.soundcloud.com https://widget.sndcdn.com https://open.spotify.com https://audioboom.com https://embeds.audioboom.com

No 'unsafe-eval' in script source

No wildcard in script source

object-src is set to 'none'

Got: object-src 'none'

base-uri is properly restricted

Got: base-uri 'none'

frame-ancestors directive is missing

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

form-action directive is missing

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'

upgrade-insecure-requests is not set

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

Content-Security-Policy-Report-Only is also set

A report-only policy is active alongside the enforcing policy for monitoring.

Got: script-src 'unsafe-inline' 'unsafe-eval'; connect-src 'none'; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/sc…

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more ▾

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more ▾

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

A report-only policy is active alongside the enforcing policy for monitoring.

Why this matters

Running enforcing + Report-Only in parallel lets you test stricter directives safely before promoting them.

Source: MDN CSP

Parsed Policy

default-src 'self'

connect-src 'self'https://www.paypal.comhttps://www.paypalobjects.comhttps://www.sandbox.paypal.comhttps://api-m.paypal.comhttps://api-m.sandbox.paypal.comhttps://www.googletagmanager.comhttps://www.google-analytics.comhttps://analytics.google.comhttps://analytics.ahrefs.comhttps://www.bugherd.comhttps://api.bugherd.comhttps://*.google-analytics.comhttps://*.analytics.google.comhttps://*.googletagmanager.comhttps://*.g.doubleclick.nethttps://*.ahrefs.comhttps://*.bugherd.comhttps://syndication.twitter.comhttps://syndication.x.comhttps://www.instagram.comhttps://api.soundcloud.comhttps://*.sndcdn.comhttps://open.spotify.comhttps://*.audioboom.com

font-src 'self'https://use.typekit.nethttps://fonts.gstatic.com

frame-src 'self'https://www.paypal.comhttps://www.sandbox.paypal.comhttps://www.googletagmanager.comhttps://*.bugherd.comhttps://www.youtube.comhttps://www.youtube-nocookie.comhttps://player.vimeo.comhttps://platform.twitter.comhttps://syndication.twitter.comhttps://platform.x.comhttps://syndication.x.comhttps://www.instagram.comhttps://w.soundcloud.comhttps://open.spotify.comhttps://embeds.audioboom.comhttps://audioboom.com

img-src 'self'data:https://www.paypalobjects.comhttps://www.paypal.comhttps://www.googletagmanager.comhttps://www.google-analytics.comhttps://stats.g.doubleclick.nethttps://analytics.ahrefs.comhttps://*.google-analytics.comhttps://*.googletagmanager.comhttps://*.g.doubleclick.nethttps://*.ahrefs.comhttps://*.ytimg.comhttps://i.ytimg.comhttps://i.vimeocdn.comhttps://pbs.twimg.comhttps://abs.twimg.comhttps://*.twimg.comhttps://*.cdninstagram.comhttps://scontent.cdninstagram.comhttps://*.sndcdn.comhttps://i.scdn.cohttps://*.scdn.cohttps://images.theabcdn.comhttps://*.audioboom.com

media-src 'self'https://*.sndcdn.comhttps://*.audioboom.comhttps://*.googlevideo.comhttps://*.ytimg.comhttps://*.vimeocdn.com

object-src 'none'

script-src 'self''unsafe-inline'cdn.jsdelivr.nethttps://cdn.jsdelivr.nethttps://cdnjs.cloudflare.comhttps://js.stripe.comhttps://www.paypal.comhttps://www.paypalobjects.comhttps://www.googletagmanager.comhttps://www.google-analytics.comhttps://analytics.ahrefs.comhttps://www.bugherd.comhttps://*.googletagmanager.comhttps://*.google-analytics.comhttps://*.ahrefs.comhttps://*.bugherd.comhttps://www.youtube.comhttps://s.ytimg.comhttps://platform.twitter.comhttps://platform.x.comhttps://cdn.syndication.twimg.comhttps://www.instagram.comhttps://w.soundcloud.comhttps://widget.sndcdn.comhttps://open.spotify.comhttps://audioboom.comhttps://embeds.audioboom.com

style-src 'self''unsafe-inline'https://use.typekit.nethttps://fonts.googleapis.comhttps://p.typekit.nethttps://cdn.jsdelivr.nethttps://cdnjs.cloudflare.com

base-uri 'none'

B

CORS Configuration

No CORS headers

REVIEW

No CORS headers

No CORS headers present — secure default

CORS Configuration ✓ Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control

A+

TLS & Certificates

TLS 1.3, 7 checks passed

PASS

TLS 1.3, 7 checks passed

TLS 1.3 is used

Got: TLS 1.3

Strong cipher suite is used

Got: TLS_CHACHA20_POLY1305_SHA256

HTTP/2 is not negotiated

HTTP/2 provides multiplexing and header compression for better performance.

Got: http/1.1

Certificate is valid (expires in 83 days)

Got: 2026-07-15T16:31:04Z

Certificate chain has 3 certificates

Certificate uses modern signature algorithm

Got: ECDSA-SHA256

Certificate covers 2 domain(s)

Got: cepr.org, *.cepr.org

Certificate is issued by a trusted CA

Got: CN=WE1,O=Google Trust Services,C=US

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more ▾

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection

Protocol

TLS 1.3

Cipher Suite

TLS_CHACHA20_POLY1305_SHA256

HTTP Version

HTTP/1.1

Certificate Chain

Leaf Certificate

Subject CN=cepr.orgIssuer CN=WE1,O=Google Trust Services,C=USValid 2026-04-16T15:31:14Z → 2026-07-15T16:31:04ZExpires in 83 days SANs cepr.org, *.cepr.orgSignature ECDSA-SHA256Serial 40da30547dc2aa0313363989bb21d024

Intermediate (CA Certificate)

Subject CN=WE1,O=Google Trust Services,C=USIssuer CN=GTS Root R4,O=Google Trust Services LLC,C=USValid 2023-12-13T09:00:00Z → 2029-02-20T14:00:00ZExpires in 1034 days Signature ECDSA-SHA384Serial 7ff31977972c224a76155d13b6d685e3

Intermediate (CA Certificate)

Subject CN=GTS Root R4,O=Google Trust Services LLC,C=USIssuer CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEValid 2023-11-15T03:43:21Z → 2028-01-28T00:00:42ZExpires in 645 days Signature SHA256-RSASerial 7fe530bf331343bedd821610493d8a1b

A+

Cookie Security

No cookies set — no cookie security risks

PASS

No cookies set — no cookie security risks

No cookies detected — no cookie security risks to report.

A+

JS Library Vulnerabilities

No known vulnerabilities

PASS

No known vulnerabilities

No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+

Information Leakage

No exposures

PASS

No exposures

No security.txt found

Consider adding a security.txt at /.well-known/security.txt.

No sensitive files exposed

No sensitive files exposed — all paths returned 404.

Path	Status	Category	Risk
/.git/HEAD	✓ Not found	Version Control	—
/.git/config	✓ Not found	Version Control	—
/.svn/entries	✓ Not found	Version Control	—
/.env	✓ Not found	Configuration	—
/.env.local	✓ Not found	Configuration	—
/.env.production	✓ Not found	Configuration	—
/wp-config.php	✓ Not found	Configuration	—
/.htaccess	✓ Not found	Configuration	—
/phpinfo.php	✓ Not found	Debug	—
/server-status	✓ Not found	Debug	—
/server-info	✓ Not found	Debug	—
/.well-known/security.txt	✓ Not found	Security Policy	—

A+

Email Security

DMARC: reject

PASS

DMARC: reject

DMARC policy is reject — strongest protection

DMARC

Policy reject — strongest protection Record v=DMARC1;p=reject;pct=80;rua=mailto:9b65c23615@rua.easydmarc.us,mailto:dmarcreports@cepr.org,mailto:postmaster@crowdcomms.com,mailto:postmaster@crowdcomms.com;ruf=mailto:9b65c23615@ruf.easydmarc.us;ri=86400;fo=1;

A

Transport Security

HTTP/3, HSTS, and TLS version analysis

PASS

HTTP/3, HSTS, and TLS version analysis

HTTP/3 (QUIC) supported

The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.

HSTS max-age is short: 0 days

HSTS max-age should be at least 1 year (31536000 seconds).

Got: max-age=1000 (expected 31536000)

TLS 1.3 in use (fastest handshake, 1-RTT)