Security
· 32 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.DSecurity HeadersAction5 of 10 headers properly configuredFIX
CSP is the most important header for preventing XSS attacks. See the CSP section for detailed analysis.
default-src 'self'Without a CSP, a single XSS bug can exfiltrate everything your users type — including credentials.
Learn more ▾ ▴
Content-Security-Policy is the browser-enforced firewall against XSS. With a strict CSP, a script injection that would otherwise steal session cookies or rewrite the page is silently blocked. Without it, your only defense is hoping every input on every form is escaped correctly forever.
Source: OWASP / MDN
A short max-age leaves a window for downgrade attacks. Set max-age to at least 31536000 (1 year).
max-age=31536000; includeSubDomainsShort HSTS max-age leaves a downgrade-attack window every time the cache expires — set ≥ 1 year.
Learn more ▾ ▴
max-age below 31536000 (1 year) is below industry recommendation. The browser forgets the HSTS policy and re-exposes first-visit downgrade attacks. Set to 63072000 (2 years) and add `includeSubDomains; preload` to qualify for the HSTS preload list.
Source: RFC 6797 / hstspreload.org
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
geolocation=(), camera=(), microphone=()Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.
Learn more ▾ ▴
By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.
Source: MDN / W3C
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
same-originCOOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
require-corpCOEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).
Not in the Chrome preload list — first-time visitors over plain HTTP can be downgraded by a network attacker before HSTS kicks in.
Learn more ▾ ▴
The HSTS header only protects users who have already visited the site (TOFU window). Adding your domain to the Chrome preload list closes that gap so HSTS is enforced from the very first connection. Requires a preload-ready header (max-age=31536000+, includeSubDomains, preload) then submission at hstspreload.org. Inclusion ships in the next Chrome release after acceptance.
Source: hstspreload.org
FContent Security PolicyActionNo enforcing CSP policy foundFIX
CSP is the most effective defense against XSS attacks. Add a Content-Security-Policy header to restrict resource loading.
default-src 'self'Without a CSP, a single XSS bug can exfiltrate everything users type — credentials, payment data, session tokens.
Learn more ▾ ▴
Content-Security-Policy is the browser-enforced firewall against XSS. With a strict CSP, a script injection that would otherwise steal session cookies is silently blocked. Without it, your only defense is hoping every input on every form is escaped correctly forever. Start in Report-Only mode, fix violations, then graduate to enforcing.
Source: OWASP / MDN
DCross-Origin Tab SafetyAction45 of 48 new-tab link(s) missing rel=noopenerFIX
DCSP Inline-Style ReadinessAction89 inline style attribute(s) detectedFIX
FSubresource Integrity AdoptionAction0% SRI adoption (0/3 third-party resources)FIX
DReferrer-Policy StrictnessActionReferrer-Policy is `no-referrer-when-downgrade` (leaky -- legacy default that sends full URL cross-origin on HTTPS-to-HTTPS)FIX
FSubresource IntegrityAction0 of 3 external resources have SRIFIX
| Tag | Domain | Integrity |
|---|---|---|
| <link> | www.gstatic.com | ✗ Missing |
| <script> | translate.googleapis.com | ✗ Missing |
| <script> | translate.google.com | ✗ Missing |
FEmail SecurityActionno DMARC, SPF: ~allFIX
No DMARC record found
Without DMARC, email receivers have no policy for handling authentication failures from your domain.
Without DMARC, email receivers have no policy for handling authentication failures. Add a TXT record at _dmarc.<domain> starting with v=DMARC1.
Without DMARC, anyone can send phishing emails using your domain name.
Learn more ▾ ▴
DMARC tells receiving mail servers what to do with email that fails SPF/DKIM checks for your domain. With a strict 'p=reject' policy, spoofed emails get bounced; without it they reach the inbox. Domains used in phishing campaigns lose deliverability and brand trust fast.
Source: DMARC.org / NIST
Soft fail tells receivers to accept-but-mark unauthorized mail. Migrate to -all once you've confirmed all legitimate senders are listed (DMARC aggregate reports help verify).
Informational: a labeled value pair from the audit.
DKIM signs outbound mail to prove origin. We probed common selectors (default, google, selector1, etc.) without finding a record. If you use a non-standard selector, this is a false negative.
No DKIM signature on outbound mail — receivers can't cryptographically prove the message came from your domain.
Learn more ▾ ▴
DKIM signs outbound mail with a private key whose public half lives in DNS at <selector>._domainkey.<domain>. Without DKIM, DMARC alone can't tell legitimate mail from spoofs, and large mailbox providers (Gmail, Yahoo) increasingly require DKIM for inbox placement. Note: this check probes a curated list of common selectors; non-standard selectors produce a false negative.
Source: RFC 6376 / Google + Yahoo 2024 sender requirements
MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.
Without MTA-STS, inbound mail can be silently downgraded to plain SMTP by a network attacker.
Learn more ▾ ▴
MTA-STS (RFC 8461) tells sending mail servers to use TLS and to refuse delivery if TLS fails. Requires both a TXT record at _mta-sts.<domain> AND a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Without it, an active attacker on the network path can strip STARTTLS and read the email in plaintext.
Source: RFC 8461
TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.
Without TLS-RPT, you have no visibility into inbound TLS failures — MTA-STS misconfigurations stay hidden until users complain.
Learn more ▾ ▴
TLS-RPT (RFC 8460) is the feedback channel for MTA-STS: senders post aggregate reports of TLS-handshake failures to the URI in your _smtp._tls TXT record. Without it, an MTA-STS misconfiguration silently rejects mail and you find out only when someone notices missing email.
Source: RFC 8460
BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.
Security gaps expose your site and users to attacks, eroding trust.
DPermissions-PolicyActionNo header setFIX
No Permissions-Policy header set.
Without this header, embedded iframes can request access to sensitive device features.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
Csecurity.txtActionNo security.txt file foundREVIEW
security.txt
No security.txt found at /.well-known/security.txt
CPermissions-Policy GranularityActionNo Permissions-Policy header set -- powerful features (camera / microphone / geolocation / payment / USB) default to allow-on-same-originREVIEW
BCORS ConfigurationNo CORS headersREVIEW
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
A+TLS & CertificatesTLS 1.3, 8 checks passedPASS
HTTP/2 provides multiplexing and header compression for better performance.
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Certificate Chain
AWAF / Bot ProtectionCloudflarePASS
A+Trusted Types (XSS Sink Hardening)No CSP header -- Trusted Types check is N/APASS
A+Bot Challenge DetectionScan reached real page content (no bot-protection interstitial)PASS
A+Soft-404 DetectionNo soft-404 patterns detected in page title or headingsPASS
A+Empty Page DetectionPage has substantive body text and no placeholder / template-leak signalsPASS
A+Geo-Restriction DetectionNo geo-restriction signals detected -- scan reached the page from an allowed regionPASS
A+Maintenance Mode DetectionNo maintenance-mode signals detected -- scan reached a normal pagePASS
A+CORS DepthNo CORS response headers -- the resource is same-origin-only by browser defaultPASS
A+Source Map ExposureNo source maps accessible (probed 10 candidate URL(s))PASS
A+HTML Version DisclosureNo software-version disclosures in HTMLPASS
A+Open Redirect SurfaceNo redirect-shaped query parameters in DOM linksPASS
A+Auth SecurityPage is not a login form -- auth-security checks are N/APASS
A+Subdomain Inventory ExposureNo risky subdomain names in certificate SANsPASS
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✓ Not found | Security Policy | — |
| /package.json | ✓ Not found | dependency-manifest | — |
| /composer.json | ✓ Not found | dependency-manifest | — |
| /Gemfile | ✓ Not found | dependency-manifest | — |
| /Gemfile.lock | ✓ Not found | dependency-manifest | — |
| /requirements.txt | ✓ Not found | dependency-manifest | — |
| /pom.xml | ✓ Not found | dependency-manifest | — |
| /.gitlab-ci.yml | ✓ Not found | ci-config | — |
| /.travis.yml | ✓ Not found | ci-config | — |