# BeaverCheck Audit Report — https://www.dropbox.com **Date:** April 7, 2026 **URL:** https://www.dropbox.com **Overall Grade:** C (73/100) **Report:** https://beavercheck.com/results/48a24ff3-6aa4-41d9-b02a-2d8212a6ee37 ## Top Findings 1. **[CRITICAL]** 'unsafe-eval' found in script source — Security > Content Security Policy 2. **[CRITICAL]** 'unsafe-inline' found in script source — Security > Content Security Policy 3. **[CRITICAL]** Cookie 'locale' is missing the Secure flag — Security > Cookie Security 4. **[CRITICAL]** Page weighs 18.0 MB (11.4 MB transferred) — Performance > Page Weight Budget 5. **[CRITICAL]** 1 button(s) with no accessible text — Accessibility > Link & Button Quality --- ## Lighthouse Scores | Category | Score | |----------|-------| | Performance | 38 | | Accessibility | 91 | | Best Practices | 77 | | SEO | 92 | --- ## Security ### Security Headers (B — 80/100) *7 of 10 headers properly configured* - **[PASS]** Strict-Transport-Security is properly configured (consider adding preload) - **[PASS]** X-Content-Type-Options is properly configured - **[PASS]** X-Frame-Options is properly configured - **[PASS]** Referrer-Policy is properly configured - **[WARNING]** Permissions-Policy header is missing — Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features. - **[PASS]** Content-Security-Policy is present - **[INFO]** Cross-Origin-Opener-Policy is set but not 'same-origin' - **[WARNING]** Cross-Origin-Embedder-Policy header is missing — COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers. - **[PASS]** X-Powered-By header is not present - **[PASS]** Server header is present without version info ### Content Security Policy (D — 50/100) *5 of 10 CSP checks passed* - **[INFO]** Raw CSP policy - **[PASS]** default-src directive is set - **[CRITICAL]** 'unsafe-inline' found in script source — 'unsafe-inline' allows inline