https://ring.com
Security
· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.SCORE
70
GRADE
C
FIX
3
REVIEW
4
PASS
5
INFO
0
Checks
125 PASS 4 REVIEW 3 FIX
FContent Security PolicyAction3 of 10 CSP checks passedFIX
Content Security Policy
Action3 of 10 CSP checks passed
3 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.ring.com/ https://*.a2z.com/ https://*.cloudfront.net/ https://*.stripe.com/ https://*.stripe.network/ https://*.stripecdn.com/ https://*.solvvy.com/ https://beacon.riskified.com/; script-src-elem 'self' 'unsafe-inline' https://*.ring.com/ https://*.a2z.com https://*.amazon-adsystem.com https://*.amazonaws.com/ https://cdn.optimizely.com/ https://*.zoom.us https://*.xg4ken.com/ http://*.xg4ken.com/ https://secure-ds.serving-sys.com/ https://bs.serving-sys.com/ https://www.youtube.com/ https://www.youtube-nocookie.com/ https://*.heapanalytics.com/ https://*.cloudfront.net/ https://*.stripe.com/ https://*.stripe.network/ https://*.stripecdn.com/ https://*.optimizely.com/ https://*.solvvy.com/ https://cdn.id.discount/ https://cdn.verifypass.com/ https://*.zoovu.com/ http://*.zoovu.com/ https://ajax.googleapis.com/ https://*.mapbox.com/ https://beacon.riskified.com/ https://*.ceros.site; connect-src 'self' https://*.ring.com/ https://*.a2z.com https://*.optimizely.com/ https://*.optimizely-edge.com/ https://*.amazon-adsystem.com/ https://*.amazon.com/ https://*.amazon/ https://*.amazonaws.com/ https://lm.serving-sys.com/ https://bs.serving-sys.com/ https://secure-ds.serving-sys.com/ https://us01ccistatic.zoom.us/ https://us01campaign.zoom.us/ https://*.zoom.us/ wss://zpns.zoom.us/ws https://*.stripe.com/ https://*.stripe.network/ https://*.stripecdn.com/ https://*.cloudfront.net/ https://*.auryc.com/ https://*.solvvy.com/ https://*.zoovu.com/ http://*.zoovu.com/ https://*.mapbox.com/ https://beacon.riskified.com/ https://*.ceros.site; style-src 'self' 'unsafe-inline' https://*.ring.com/ https://*.a2z.com https://*.cloudfront.net/ https://*.stripe.com/ https://*.stripe.network/ https://*.stripecdn.com/; style-src-elem 'self' 'unsafe-inline' https://*.ring.com/ https://*.a2z.com/ https://*.cloudfront.net/ https://*.stripe.com/ https://*.stripe.network/ https://*.stripecdn.com/ https://*.zoovu.com/ http://*.zoovu.com/ https://*.mapbox.com/ https://*.ceros.site; font-src 'self' data: https://*.ring.com/ https://*.auryc.com/ https://*.zoovu.com/ http://*.zoovu.com/ https://*.cloudfront.net/ http://*.cloudfront.net/ https://*.ceros.site; img-src 'self' blob: data: https://*.ring.com/ https://*.a2z.com/ https://cdn.shopify.com/ https://images.ctfassets.net/ http://images.ctfassets.net/ https://heapanalytics.com/ https://*.xg4ken.com/ https://m.media-amazon.com/ https://*.cloudfront.net/ https://i.ytimg.com/ https://*.stripe.com/ https://*.stripe.network/ https://*.stripecdn.com/ https://*.zoovu.com/ http://*.zoovu.com/ https://*.ceros.site; media-src 'self' https://*.ring.com/ http://videos.ctfassets.net/ https://*.cloudfront.net/ https://*.amazonaws.com/ https://*.ceros.site; frame-src 'self' https://*.ring.com/ https://*.cdn.optimizely.com/ https://*.amazon-adsystem.com/ https://*.a2z.com/ https://us01ccistatic.zoom.us/ https://www.youtube.com/ https://www.youtube-nocookie.com/ https://*.stripe.com/ https://*.stripe.network/ https://*.stripecdn.com/ https://*.cloudfront.net/ https://verifypass.com/ https://*.ceros.site; worker-src 'self' blob: https://us01ccistatic.zoom.us/; manifest-src https://*.ring.com/ https://*.cloudfront.net/;
Info::
default-src directive is set
Got: default-src 'self'
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.ring.com/ https://*.a2z.com/ https://*.cloudfront.net/ https://*.stripe.com/ https://*.stripe.network/ https://*.stripecdn.com/ https://*.solvvy.com/ https://beacon.riskified.com/
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.ring.com/ https://*.a2z.com/ https://*.cloudfront.net/ https://*.stripe.com/ https://*.stripe.network/ https://*.stripecdn.com/ https://*.solvvy.com/ https://beacon.riskified.com/
Info::
No wildcard in script source
Info::
object-src falls back to default-src
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Warning::
frame-ancestors directive is missing
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected: frame-ancestors 'self'
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Why this matters
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Why this matters
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected:
base-uri 'self'Why this matters
Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.
Learn more ▾ ▴
A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.
Source: MDN CSP
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected:
frame-ancestors 'self'Why this matters
Security gaps expose your site and users to attacks, eroding trust.
form-action restricts where forms can submit data, preventing form hijacking.
Expected:
form-action 'self'Why this matters
Security gaps expose your site and users to attacks, eroding trust.
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected:
upgrade-insecure-requestsWhy this matters
Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.
Learn more ▾ ▴
Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.
Source: MDN CSP
Parsed Policy
default-src 'self'
script-src 'self''unsafe-inline''unsafe-eval'https://*.ring.com/https://*.a2z.com/https://*.cloudfront.net/https://*.stripe.com/https://*.stripe.network/https://*.stripecdn.com/https://*.solvvy.com/https://beacon.riskified.com/
script-src-elem 'self''unsafe-inline'https://*.ring.com/https://*.a2z.comhttps://*.amazon-adsystem.comhttps://*.amazonaws.com/https://cdn.optimizely.com/https://*.zoom.ushttps://*.xg4ken.com/http://*.xg4ken.com/https://secure-ds.serving-sys.com/https://bs.serving-sys.com/https://www.youtube.com/https://www.youtube-nocookie.com/https://*.heapanalytics.com/https://*.cloudfront.net/https://*.stripe.com/https://*.stripe.network/https://*.stripecdn.com/https://*.optimizely.com/https://*.solvvy.com/https://cdn.id.discount/https://cdn.verifypass.com/https://*.zoovu.com/http://*.zoovu.com/https://ajax.googleapis.com/https://*.mapbox.com/https://beacon.riskified.com/https://*.ceros.site
connect-src 'self'https://*.ring.com/https://*.a2z.comhttps://*.optimizely.com/https://*.optimizely-edge.com/https://*.amazon-adsystem.com/https://*.amazon.com/https://*.amazon/https://*.amazonaws.com/https://lm.serving-sys.com/https://bs.serving-sys.com/https://secure-ds.serving-sys.com/https://us01ccistatic.zoom.us/https://us01campaign.zoom.us/https://*.zoom.us/wss://zpns.zoom.us/wshttps://*.stripe.com/https://*.stripe.network/https://*.stripecdn.com/https://*.cloudfront.net/https://*.auryc.com/https://*.solvvy.com/https://*.zoovu.com/http://*.zoovu.com/https://*.mapbox.com/https://beacon.riskified.com/https://*.ceros.site
style-src 'self''unsafe-inline'https://*.ring.com/https://*.a2z.comhttps://*.cloudfront.net/https://*.stripe.com/https://*.stripe.network/https://*.stripecdn.com/
style-src-elem 'self''unsafe-inline'https://*.ring.com/https://*.a2z.com/https://*.cloudfront.net/https://*.stripe.com/https://*.stripe.network/https://*.stripecdn.com/https://*.zoovu.com/http://*.zoovu.com/https://*.mapbox.com/https://*.ceros.site
font-src 'self'data:https://*.ring.com/https://*.auryc.com/https://*.zoovu.com/http://*.zoovu.com/https://*.cloudfront.net/http://*.cloudfront.net/https://*.ceros.site
img-src 'self'blob:data:https://*.ring.com/https://*.a2z.com/https://cdn.shopify.com/https://images.ctfassets.net/http://images.ctfassets.net/https://heapanalytics.com/https://*.xg4ken.com/https://m.media-amazon.com/https://*.cloudfront.net/https://i.ytimg.com/https://*.stripe.com/https://*.stripe.network/https://*.stripecdn.com/https://*.zoovu.com/http://*.zoovu.com/https://*.ceros.site
media-src 'self'https://*.ring.com/http://videos.ctfassets.net/https://*.cloudfront.net/https://*.amazonaws.com/https://*.ceros.site
frame-src 'self'https://*.ring.com/https://*.cdn.optimizely.com/https://*.amazon-adsystem.com/https://*.a2z.com/https://us01ccistatic.zoom.us/https://www.youtube.com/https://www.youtube-nocookie.com/https://*.stripe.com/https://*.stripe.network/https://*.stripecdn.com/https://*.cloudfront.net/https://verifypass.com/https://*.ceros.site
worker-src 'self'blob:https://us01ccistatic.zoom.us/
manifest-src https://*.ring.com/https://*.cloudfront.net/
FSubresource IntegrityAction0 of 31 external resources have SRIFIX
Subresource Integrity
Action0 of 31 external resources have SRI
0 of 31 external resources have SRI
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ring.min-a57c65b2adf7895857d5551c58dabe51.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_productdetail-f26702f0e1f7072d0517d301b449579f.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_50-50-2edc89bc0f94a63aa368c0890b0252d8.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_50-50_image_gallery_block-037a2f792bad18809269601ffe9e5902.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_accordion-71d670b4168a6dbef35fd879e7f6c56f.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_accordion_block-51f58ddf4a9921cb80b0c2add858a48f.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_center_aligned_message-8b777e878dc56ee970fcfb77df3b0004.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_collection_block-9fa65b5bdeed13fc2d2c1344953c5de1.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_collection_cards-644c82f472a3d027e3f06ebbdb714107.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_hero-06e3ec92348045662698e77891a6f504.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_product-feature-strip-df8facbaa11b4c014068600b8b5ceb5e.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_product-wrapper-031561cd1b2167d704932d2c4ce0dbfb.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_slider-wrapper-47b2c0f66c445c3d62dbae78f8ab9a44.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_slider_card-087cd122e3b28906e66031382854836a.css
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/ct_title_block-296fde558ed7a343616569ec114e0589.css
Warning::
External script from www.youtube.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.youtube.com/s/player/b174a5bb/www-widgetapi.vflset/www-widgetapi.js
Warning::
External script from www.youtube.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.youtube.com/iframe_api
Warning::
External script from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/js/ct_productdetail-1e81f502aaa28fe0876645d15b6652d0.js
Warning::
External script from cdn.optimizely.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.optimizely.com/js/18436933757.js
Warning::
External script from services.xg4ken.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://services.xg4ken.com/js/kenshoo.js?cid=919838d0-ecdb-4d24-ab4c-434934b0ad7a
Warning::
External script from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/js/event-tracking-6157ef2a4d4fe053b5026c5ac6729c08.js
Warning::
External script from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/js/consent-manager-762fe7c2fc4b0df8660d5f3b736035f0.js?locale=en-US&local=true&loggedIn=0®ion=us
Warning::
External script from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/js/compatibility-checker-51b83a3bc82e0dbb427f155a3cb38a59.js?locale=en-US
Warning::
External script from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/js/ring.min-935eb1ea8607272fc9da58ebc811dec2.js
Warning::
External script from chatbot.rc3.ring.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://chatbot.rc3.ring.com/js/1.0.8.js
Warning::
External link from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/css/consent-manager-4e01ec1313c3b2c386164279d4d21c11.css
Warning::
External link from d2a12jsx2jznj5.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d2a12jsx2jznj5.cloudfront.net/globalnav.min.css
Warning::
External script from d2a12jsx2jznj5.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d2a12jsx2jznj5.cloudfront.net/globalnav.min.js
Warning::
External script from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/js/ct_50-50_image_gallery_block-055fdc61a0346e79885221cd58055ad9.js
Warning::
External script from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/js/ct_product-wrapper-99c92507072b895c71cde130531f89e7.js
Warning::
External script from d39xvdj9d5ntm1.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d39xvdj9d5ntm1.cloudfront.net/common/js/ct_slider-wrapper-28e2487694f2833ab4d4564fafdae49a.js
SRI Coverage 0 / 31 of external resources have integrity hashes
| Tag | Domain | Integrity |
|---|---|---|
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <script> | www.youtube.com | ✗ Missing |
| <script> | www.youtube.com | ✗ Missing |
| <script> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <script> | cdn.optimizely.com | ✗ Missing |
| <script> | services.xg4ken.com | ✗ Missing |
| <script> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <script> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <script> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <script> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <script> | chatbot.rc3.ring.com | ✗ Missing |
| <link> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <link> | d2a12jsx2jznj5.cloudfront.net | ✗ Missing |
| <script> | d2a12jsx2jznj5.cloudfront.net | ✗ Missing |
| <script> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <script> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
| <script> | d39xvdj9d5ntm1.cloudfront.net | ✗ Missing |
DPermissions-PolicyActionNo header setFIX
Permissions-Policy
ActionNo header set
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.
No Permissions-Policy header set.
Without this header, embedded iframes can request access to sensitive device features.
Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
CSecurity HeadersAction5 of 10 headers properly configuredREVIEW
Security Headers
Action5 of 10 headers properly configured
5 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured
Got: max-age=31536000; includeSubDomains; preload
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Warning::
Referrer-Policy header is missing
Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.
Expected: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Warning::
X-Powered-By header reveals technology stack
This header discloses server technology (e.g. Express, PHP), helping attackers target known vulnerabilities. Remove it.
Got: Express
Info::
Server header is present without version info
Got: Server
Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.
Expected:
strict-origin-when-cross-originWhy this matters
Default browser behavior leaks full URLs (including query params and tokens) to every third-party resource — set a strict policy.
Learn more ▾ ▴
Without a Referrer-Policy header, browsers send the full referring URL with images, scripts, and fonts loaded from third-party origins. URLs containing tokens, user IDs, or session params end up in third-party logs. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter) to limit leakage.
Source: MDN / W3C
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected:
geolocation=(), camera=(), microphone=()Why this matters
Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.
Learn more ▾ ▴
By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.
Source: MDN / W3C
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected:
same-originWhy this matters
COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected:
require-corpWhy this matters
COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
This header discloses server technology (e.g. Express, PHP), helping attackers target known vulnerabilities. Remove it.
Why this matters
X-Powered-By: PHP/7.4.3 advertises your stack to attackers — disable it.
Learn more ▾ ▴
X-Powered-By and similar headers (X-AspNet-Version, X-Runtime) tell attackers which versions to target. Disable in your server/framework config: PHP `expose_php=Off`, ASP.NET `<httpRuntime enableVersionHeader="false">`, Express `app.disable('x-powered-by')`.
Source: OWASP
BCORS ConfigurationNo CORS headersREVIEW
CORS Configuration
No CORS headers
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration ✓ Secure
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
Bsecurity.txtPublished with 1 contact(s)REVIEW
security.txt
Published with 1 contact(s)
security.txt
Contact: https://hackerone.com/ring/reports/new
A+TLS & CertificatesTLS 1.3, 7 checks passedPASS
TLS & Certificates
TLS 1.3, 7 checks passed
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_AES_256_GCM_SHA384
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 127 days)
Got: 2026-08-21T23:59:59Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 2 domain(s)
Got: www.ring.com, ring.com
Info::
Certificate is issued by a trusted CA
Got: CN=Amazon RSA 2048 M04,O=Amazon,C=US
HTTP/2 provides multiplexing and header compression for better performance.
Why this matters
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Connection
Protocol
TLS 1.3
Cipher Suite
TLS_AES_256_GCM_SHA384
HTTP Version
HTTP/1.1
Certificate Chain
Leaf Certificate
Subject CN=www.ring.comIssuer CN=Amazon RSA 2048 M04,O=Amazon,C=USValid 2025-11-04T00:00:00Z → 2026-08-21T23:59:59ZExpires in 127 days SANs www.ring.com, ring.comSignature SHA256-RSASerial 823917a02b725eb245cfcbeea4d64cb
Intermediate (CA Certificate)
Subject CN=Amazon RSA 2048 M04,O=Amazon,C=USIssuer CN=Amazon Root CA 1,O=Amazon,C=USValid 2022-08-23T22:26:35Z → 2030-08-23T22:26:35ZExpires in 1590 days Signature SHA256-RSASerial 773124f2a952e3ed18a58bdb85d1bc0ce5f27
Intermediate (CA Certificate)
Subject CN=Amazon Root CA 1,O=Amazon,C=USIssuer CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=USValid 2015-05-25T12:00:00Z → 2037-12-31T01:00:00ZExpires in 4276 days Signature SHA256-RSASerial 67f944a2a27cdf3fac2ae2b01f908eeb9c4c6
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
JS Library Vulnerabilities
No known vulnerabilities
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
Information Leakage
No exposures
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✗ Exposed | Security Policy | Info |
AEmail SecurityDMARC: quarantinePASS
Email Security
DMARC: quarantine
DMARC: quarantine
Info::
DMARC policy is quarantine — good protection
DMARC
Policy quarantine — good protection Record v=DMARC1;p=quarantine;pct=100;rua=mailto:report@dmarc.amazon.com;ruf=mailto:report@dmarc.amazon.com
ATransport SecurityHTTP/3, HSTS, and TLS version analysisPASS
Transport Security
HTTP/3, HSTS, and TLS version analysis
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (includeSubDomains, preload)
Info::
HSTS preload enabled
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.