Security - https://ahajournals.org BeaverCheck Audit

C

Content Security Policy

Action

6 of 11 CSP checks passed

REVIEW

6 of 11 CSP checks passed

Raw CSP policy

Got: default-src 'none'; script-src 'nonce-eSd7Dep6YMP06pEiNZr5Sz' 'unsafe-eval' https://challenges.cloudflare.com; script-src-attr 'none'; style-src 'unsafe-inline'; img-src 'self' https://challenges.cloudflare.com; connect-src 'self' https://challenges.cloudflare.com; frame-src 'self' https://challenges.cloudflare.com blob:; child-src 'self' https://challenges.cloudflare.com blob:; worker-src blob:; form-action 'self'; base-uri 'self'

default-src directive is set

Got: default-src 'none'

No 'unsafe-inline' in script source

'unsafe-eval' found in script source

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Got: script-src 'nonce-eSd7Dep6YMP06pEiNZr5Sz' 'unsafe-eval' https://challenges.cloudflare.com

No wildcard in script source

object-src falls back to default-src

base-uri is properly restricted

Got: base-uri 'self'

frame-ancestors directive is missing

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

form-action directive is set

Got: form-action 'self'

upgrade-insecure-requests is not set

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

Content-Security-Policy-Report-Only is also set

A report-only policy is active alongside the enforcing policy for monitoring.

Got: script-src 'none'; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?m=PWVDX_vG06FplTWxxLRV5…

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more ▾

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more ▾

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

A report-only policy is active alongside the enforcing policy for monitoring.

Why this matters

Running enforcing + Report-Only in parallel lets you test stricter directives safely before promoting them.

Source: MDN CSP

Parsed Policy

default-src 'none'

script-src 'nonce-eSd7Dep6YMP06pEiNZr5Sz''unsafe-eval'https://challenges.cloudflare.com

script-src-attr 'none'

style-src 'unsafe-inline'

img-src 'self'https://challenges.cloudflare.com

connect-src 'self'https://challenges.cloudflare.com

frame-src 'self'https://challenges.cloudflare.comblob:

child-src 'self'https://challenges.cloudflare.comblob:

worker-src blob:

form-action 'self'

base-uri 'self'

C

Subresource Integrity

Action

1 of 2 external resources have SRI

REVIEW

1 of 2 external resources have SRI

External script from challenges.cloudflare.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://challenges.cloudflare.com/turnstile/v0/b/0b8fb825cb67/api.js?onload=cFRiY3&render=explicit

script from static.cloudflareinsights.com has SRI protection

SRI Coverage 1 / 2 of external resources have integrity hashes

Tag	Domain	Integrity
<script>	challenges.cloudflare.com	✗ Missing
<script>	static.cloudflareinsights.com	✓ Protected

B

CORS Configuration

No CORS headers

REVIEW

No CORS headers

No CORS headers present — secure default

CORS Configuration ✓ Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control

B

security.txt

Published with 1 contact(s)

REVIEW

security.txt

Contact: mailto:security@wiley.com

Expires: 2027-01-01T00:00:00Z

A

Security Headers

9 of 10 headers properly configured

PASS

9 of 10 headers properly configured

HSTS max-age is too short (2592000s, should be ≥ 31536000s)

A short max-age leaves a window for downgrade attacks. Set max-age to at least 31536000 (1 year).

Got: max-age=2592000 Expected: max-age=31536000; includeSubDomains

X-Content-Type-Options is properly configured

Got: nosniff

X-Frame-Options is properly configured

Got: SAMEORIGIN

Referrer-Policy is properly configured

Got: same-origin

Permissions-Policy is set

Got: accelerometer=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=(),xr-spatial-tracking=(self)

Content-Security-Policy is present

Got: default-src 'none'; script-src 'nonce-eSd7Dep6YMP06pEiNZr5Sz' 'unsafe-eval' http…

Cross-Origin-Opener-Policy is properly configured

Got: same-origin

Cross-Origin-Embedder-Policy is set

Got: require-corp

X-Powered-By header is not present

Server header is present without version info

Got: cloudflare

A short max-age leaves a window for downgrade attacks. Set max-age to at least 31536000 (1 year).

Expected: max-age=31536000; includeSubDomains

Why this matters

Short HSTS max-age leaves a downgrade-attack window every time the cache expires — set ≥ 1 year.

Learn more ▾

max-age below 31536000 (1 year) is below industry recommendation. The browser forgets the HSTS policy and re-exposes first-visit downgrade attacks. Set to 63072000 (2 years) and add `includeSubDomains; preload` to qualify for the HSTS preload list.

Source: RFC 6797 / hstspreload.org

A+

TLS & Certificates

TLS 1.3, 7 checks passed

PASS

TLS 1.3, 7 checks passed

TLS 1.3 is used

Got: TLS 1.3

Strong cipher suite is used

Got: TLS_CHACHA20_POLY1305_SHA256

HTTP/2 is not negotiated

HTTP/2 provides multiplexing and header compression for better performance.

Got: http/1.1

Certificate is valid (expires in 85 days)

Got: 2026-07-16T01:16:06Z

Certificate chain has 3 certificates

Certificate uses modern signature algorithm

Got: ECDSA-SHA256

Certificate covers 1 domain(s)

Got: ahajournals.org

Certificate is issued by a trusted CA

Got: CN=WE1,O=Google Trust Services,C=US

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more ▾

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection

Protocol

TLS 1.3

Cipher Suite

TLS_CHACHA20_POLY1305_SHA256

HTTP Version

HTTP/1.1

Certificate Chain

Leaf Certificate

Subject CN=ahajournals.orgIssuer CN=WE1,O=Google Trust Services,C=USValid 2026-04-17T00:16:13Z → 2026-07-16T01:16:06ZExpires in 85 days SANs ahajournals.orgSignature ECDSA-SHA256Serial 7d138edd2177aed30e2b16e9b872c9de

Intermediate (CA Certificate)

Subject CN=WE1,O=Google Trust Services,C=USIssuer CN=GTS Root R4,O=Google Trust Services LLC,C=USValid 2023-12-13T09:00:00Z → 2029-02-20T14:00:00ZExpires in 1035 days Signature ECDSA-SHA384Serial 7ff31977972c224a76155d13b6d685e3

Intermediate (CA Certificate)

Subject CN=GTS Root R4,O=Google Trust Services LLC,C=USIssuer CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEValid 2023-11-15T03:43:21Z → 2028-01-28T00:00:42ZExpires in 646 days Signature SHA256-RSASerial 7fe530bf331343bedd821610493d8a1b

A+

Cookie Security

No cookies set — no cookie security risks

PASS

No cookies set — no cookie security risks

No cookies detected — no cookie security risks to report.

A+

JS Library Vulnerabilities

No known vulnerabilities

PASS

No known vulnerabilities

No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+

Information Leakage

No exposures

PASS

No exposures

security.txt is present — good practice

No sensitive files exposed

No sensitive files exposed — all paths returned 404.

Path	Status	Category	Risk
/.git/HEAD	✓ Not found	Version Control	—
/.git/config	✓ Not found	Version Control	—
/.svn/entries	✓ Not found	Version Control	—
/.env	✓ Not found	Configuration	—
/.env.local	✓ Not found	Configuration	—
/.env.production	✓ Not found	Configuration	—
/wp-config.php	✓ Not found	Configuration	—
/.htaccess	✓ Not found	Configuration	—
/phpinfo.php	✓ Not found	Debug	—
/server-status	✓ Not found	Debug	—
/server-info	✓ Not found	Debug	—
/.well-known/security.txt	✗ Exposed	Security Policy	Info

A+

Email Security

DMARC: reject

PASS

DMARC: reject

DMARC policy is reject — strongest protection

DMARC

Policy reject — strongest protection Record v=DMARC1;p=reject;sp=reject;fo=1;rua=mailto:dmarc_rua@emaildefense.proofpoint.com;ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com

A+

Permissions-Policy

18 directives, 0 missing

PASS

18 directives, 0 missing

accelerometer=() — blocked for all origins

browsing-topics=() — blocked for all origins

camera=() — blocked for all origins

clipboard-read=() — blocked for all origins

clipboard-write=() — blocked for all origins

geolocation=() — blocked for all origins

gyroscope=() — blocked for all origins

hid=() — blocked for all origins

interest-cohort=() — blocked for all origins

magnetometer=() — blocked for all origins

microphone=() — blocked for all origins

payment=() — blocked for all origins

publickey-credentials-get=() — blocked for all origins

screen-wake-lock=() — blocked for all origins

serial=() — blocked for all origins

sync-xhr=() — blocked for all origins

usb=() — blocked for all origins

xr-spatial-tracking=(self)

Raw Header

accelerometer=() browsing-topics=() camera=() clipboard-read=() clipboard-write=() geolocation=() gyroscope=() hid=() interest-cohort=() magnetometer=() microphone=() payment=() publickey-credentials-get=() screen-wake-lock=() serial=() sync-xhr=() usb=() xr-spatial-tracking=(self)

Feature Permissions

Blocked Self Only Unrestricted Not Set

accelerometer Blocked

browsing-topics Blocked

camera Blocked

clipboard-read Blocked

clipboard-write Blocked

geolocation Blocked

gyroscope Blocked

hid Blocked

interest-cohort Blocked

magnetometer Blocked

microphone Blocked

payment Blocked

publickey-credentials-get Blocked

screen-wake-lock Blocked

serial Blocked

sync-xhr Blocked

usb Blocked

xr-spatial-tracking Self Only

A

Transport Security

HTTP/3, HSTS, and TLS version analysis

PASS

HTTP/3, HSTS, and TLS version analysis

HTTP/3 (QUIC) supported

The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.

HSTS max-age is short: 30 days

HSTS max-age should be at least 1 year (31536000 seconds).

Got: max-age=2592000 (expected 31536000)

HSTS missing includeSubDomains

Without includeSubDomains, HSTS only protects the exact domain.

TLS 1.3 in use (fastest handshake, 1-RTT)