https://stripe.com
Security
· 13 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.SCORE
78
GRADE
C
FIX
2
REVIEW
5
PASS
6
INFO
0
Checks
136 PASS 5 REVIEW 2 FIX
FSubresource IntegrityAction0 of 77 external resources have SRIFIX
Subresource Integrity
Action0 of 77 external resources have SRI
0 of 77 external resources have SRI
Warning::
External link from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/css/f4882a34561e5dbb.css
Warning::
External link from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/css/9783a0f920ab0abb.css
Warning::
External link from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/css/57f8c646aef0b9c7.css
Warning::
External link from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/css/a11fd5697c32b98a.css
Warning::
External link from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/css/45ea3c6577ef6a50.css
Warning::
External link from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/css/5ac76ef56c21b7fe.css
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/polyfills-42372ed130431b0a.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/2791.83aa5fb914de3e9d.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/15263.83460f5b8af8173e.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/34552.fae148eb6b06113b.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/76629.396a50238922b152.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/96201.b69ca6d7416f24b0.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/77723.dd3ba52791b41cc0.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/96550.6f7488d7e4331269.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/90167.4103b51af0a095b1.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/12303.cbfd64dcc7cf7100.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/26610.3de3ba4fcdbc5c38.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/45402.17f4152a5b632314.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/24559.5b18d758fe1e63c7.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/13956.1a44ca5c0dc36ae3.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/42977.fed8892d9b670f89.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/53817.41e05ba1b3446007.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/79982.3b88455c414a7bfe.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/10648.e776ad5ab3e19057.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/82792.46f95ea7b23ac1a3.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/92990.46ff2fd0e9076cf0.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/86467.d924a26a13940f4d.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/83316.2d4c534f14716a88.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/48158.13de208e4f503036.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/41485.c80134e97ad98903.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/39813.b415e65e709c0a35.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/81622.ee3fedce3233c578.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/50710.befec694e53df05f.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/70111.4a9081fa5e08fa2d.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/87494.78d0914d22eefda0.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/11740.e1f0616425c20e70.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/99568.8881a151804c89bd.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/72671.ca5ed11ffd75aac9.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/69145.f19e40de79be702e.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/48661.a57e02e839fecd13.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/24926.bd4cc18d62586f60.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/93027.249adbfe02a2ea95.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/4974.02a5d8bc0b5e0863.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/46537.50651df30a8c5fa4.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/42560.d6bdb7e42237de67.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/16769.3ad7652c9d10fd9e.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/36766.f8478232cd8b3aed.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/webpack-07086fc1ac3fae4f.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/framework-bfbcaa5a2903bc7d.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/main-df8f4439c330196b.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/pages/_app-dd735f07021249cc.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/3dfade9e-4ca93d92ac876e62.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/c67c952e-7f65a464f661b1d2.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/55369f66-92e84f6aba0a73a8.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/74107-1c2d3128a7a843d6.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/12267-692ae55ed1c1ab04.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/96834-6100e9cdf9c86a29.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/61049-92938bfaa4e906a3.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/83686-faac451816184ca8.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/35546-d53e02f8a917cfc0.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/8542-04671882bfe8d457.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/80147-1c94f9a864388575.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/9068-1891de298255d55e.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/25586-b7b925806d71fbf2.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/12142-a5c1e2ae95f0a4e8.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/59752-9df4d426a95fb11e.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/87258-47bca02539d60182.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/4066-55c18fec3ae147f2.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/38484-72a8319f943b4083.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/58159-c5fc2224cc9696c9.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/81888-44c041869848e4ee.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/86782-e77479c0a263fec5.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/20961-3fd665138427a22a.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/63328-9e9e8032d49a619d.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/chunks/pages/index-b09b2ca44f5e5ddc.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/KNSAIlryA3/GyZCO5RR273qVcKsFZb3MjK%2B4om6wLaY%3D/_buildManifest.js
Warning::
External script from b.stripecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://b.stripecdn.com/mkt-ssr-statics/assets/_next/static/KNSAIlryA3/GyZCO5RR273qVcKsFZb3MjK%2B4om6wLaY%3D/_ssgManifest.js
SRI Coverage 0 / 77 of external resources have integrity hashes
| Tag | Domain | Integrity |
|---|---|---|
| <link> | b.stripecdn.com | ✗ Missing |
| <link> | b.stripecdn.com | ✗ Missing |
| <link> | b.stripecdn.com | ✗ Missing |
| <link> | b.stripecdn.com | ✗ Missing |
| <link> | b.stripecdn.com | ✗ Missing |
| <link> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
| <script> | b.stripecdn.com | ✗ Missing |
DPermissions-PolicyActionNo header setFIX
Permissions-Policy
ActionNo header set
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.
No Permissions-Policy header set.
Without this header, embedded iframes can request access to sensitive device features.
Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
BSecurity Headers7 of 10 headers properly configuredREVIEW
Security Headers
7 of 10 headers properly configured
7 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured
Got: max-age=63072000; includeSubDomains; preload
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Info::
Referrer-Policy is properly configured
Got: no-referrer-when-downgrade
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: base-uri 'none'; child-src 'none'; connect-src https://c.increment.com https://c…
Info::
Cross-Origin-Opener-Policy is set but not 'same-origin'
Got: same-origin-allow-popups; report-to="wsp_coop" Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: nginx
Info::
Domain is in the Chrome HSTS preload list (status: preloaded)
Got: preloaded
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected:
geolocation=(), camera=(), microphone=()Why this matters
Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.
Learn more ▾ ▴
By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.
Source: MDN / W3C
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected:
require-corpWhy this matters
COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
Expected:
same-originWhy this matters
COOP is set to a less-restrictive value (same-origin-allow-popups or unsafe-none) — partial isolation only.
Learn more ▾ ▴
COOP: same-origin is the strictest level. same-origin-allow-popups allows authenticated popup windows back to your origin. unsafe-none is the legacy default (effectively off). Pick the strictest level your app's popup flows tolerate.
Source: MDN COOP
BWAF / Bot ProtectionNo WAF detected via response headersREVIEW
WAF / Bot Protection
No WAF detected via response headers
No WAF detected via response headers
Info::
No WAF detected
Response headers don't match any known WAF or bot-management product. Sites exposed to abuse (login, signup, payment) typically benefit from a WAF such as Cloudflare, Akamai, AWS WAF, or Imperva.
BEmail SecurityDMARC: reject, DKIMREVIEW
Email Security
DMARC: reject, DKIM
DMARC: reject, DKIM
Info::
DMARC policy is reject — strongest protection
Info::
DKIM configured (selectors: google, s1, s2)
Info::
MTA-STS not configured
MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.
Info::
TLS-RPT not configured
TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.
DMARC
Policy reject — strongest protection Record v=DMARC1; p=reject; pct=100; fo=1; rua=mailto:dmarc-reports@stripe.com; ruf=mailto:dmarc-forensics@stripe.com;
MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.
Why this matters
Without MTA-STS, inbound mail can be silently downgraded to plain SMTP by a network attacker.
Learn more ▾ ▴
MTA-STS (RFC 8461) tells sending mail servers to use TLS and to refuse delivery if TLS fails. Requires both a TXT record at _mta-sts.<domain> AND a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Without it, an active attacker on the network path can strip STARTTLS and read the email in plaintext.
Source: RFC 8461
TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.
Why this matters
Without TLS-RPT, you have no visibility into inbound TLS failures — MTA-STS misconfigurations stay hidden until users complain.
Learn more ▾ ▴
TLS-RPT (RFC 8460) is the feedback channel for MTA-STS: senders post aggregate reports of TLS-handshake failures to the URI in your _smtp._tls TXT record. Without it, an MTA-STS misconfiguration silently rejects mail and you find out only when someone notices missing email.
Source: RFC 8460
BCORS ConfigurationNo CORS headersREVIEW
CORS Configuration
No CORS headers
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration ✓ Secure
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
Csecurity.txtActionExpired (2025-12-31T23:59:00.000Z) — update Expires fieldREVIEW
security.txt
ActionExpired (2025-12-31T23:59:00.000Z) — update Expires field
security.txt
Contact: https://hackerone.com/stripe
Expires: 2025-12-31T23:59:00.000Z
Policy: https://stripe.com/.well-known/security.txt
A+Content Security Policy9 of 10 CSP checks passedPASS
Content Security Policy
9 of 10 CSP checks passed
9 of 10 CSP checks passed
Info::
Raw CSP policy
Got: base-uri 'none'; child-src 'none'; connect-src https://c.increment.com https://c.stripe.dev https://c.stripe.global https://c.stripe.partners blob: https://b.stripecdn.com https://errors.stripe.com https://ext.stripe.com https://r.stripe.com https://stripe-images.s3.us-west-1.amazonaws.com https://stripe.com 'self'; default-src 'none'; font-src https://b.stripecdn.com 'self'; form-action https://stripe.com 'self'; frame-ancestors https://app.contentful.com 'self'; frame-src https://b.stripecdn.com https://js.stripe.com https://support-conversations.stripe.com 'self'; img-src data: https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://images.ctfassets.net https://images.stripeassets.com https://q.stripe.com 'self'; manifest-src 'none'; media-src https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://videos.ctfassets.net https://videos.stripeassets.com 'self'; object-src 'none'; script-src https://b.stripecdn.com https://js.stripe.com 'self' 'sha256-3aWvb9tRBjmz1OjR3n7mwiTm94+s4iki4mMZF82asmc=' 'sha256-5LtzXhT7UFn+GqP5pKEMGL08UNZsrzANHFEBW/mQHGw=' 'sha256-beLzNcen8LrazzSCRjAapoIMTgJI0osPWGNSX7aK6lc=' 'sha256-cCM0Z4lzGkzQnmbdVw+ouz0JRawyaKcZ4yiqzqYS7ek=' 'sha256-vTifGUJH6hJYTvstw4xJ4xfr/vE0ELkOV4GpCumyqfg=' 'sha256-KxhSaxKB5RFTQsqfRwp+zG7iLjvMrTAySqnSvWlqct0=' 'sha256-tMuJ8c00j54yuxogrdIJeGhNVB350dc56i969XRz/Mc=' 'sha256-aEFSvCaVnb2wNwuO3IzA8J44RdTKt6vms9beA7BcCYg=' 'sha256-0SWEc2BfR2o77i2vUiNNIrFKQkjc2Ujsr2hlfZ6oUek=' 'report-sample'; style-src https://b.stripecdn.com 'self' 'unsafe-inline'; worker-src https://b.stripecdn.com 'self'; upgrade-insecure-requests; report-uri https://q.stripe.com/csp-violation?q=hCK2V18NLF2RBwYriXXM8diQv8jRnzAwfBzy0TC2mySycPSB6zLGjnye7FFvf1c%3D; report-to csp
Info::
default-src directive is set
Got: default-src 'none'
Info::
No 'unsafe-inline' in script source
Info::
No 'unsafe-eval' in script source
Info::
No wildcard in script source
Info::
object-src is set to 'none'
Got: object-src 'none'
Info::
base-uri is properly restricted
Got: base-uri 'none'
Info::
frame-ancestors directive is set
Got: frame-ancestors https://app.contentful.com 'self'
Info::
form-action directive is set
Got: form-action https://stripe.com 'self'
Info::
upgrade-insecure-requests is enabled
Parsed Policy
base-uri 'none'
child-src 'none'
connect-src https://c.increment.comhttps://c.stripe.devhttps://c.stripe.globalhttps://c.stripe.partnersblob:https://b.stripecdn.comhttps://errors.stripe.comhttps://ext.stripe.comhttps://r.stripe.comhttps://stripe-images.s3.us-west-1.amazonaws.comhttps://stripe.com'self'
default-src 'none'
font-src https://b.stripecdn.com'self'
form-action https://stripe.com'self'
frame-ancestors https://app.contentful.com'self'
frame-src https://b.stripecdn.comhttps://js.stripe.comhttps://support-conversations.stripe.com'self'
img-src data:https://assets.ctfassets.nethttps://assets.stripeassets.comhttps://b.stripecdn.comhttps://images.ctfassets.nethttps://images.stripeassets.comhttps://q.stripe.com'self'
manifest-src 'none'
media-src https://assets.ctfassets.nethttps://assets.stripeassets.comhttps://b.stripecdn.comhttps://videos.ctfassets.nethttps://videos.stripeassets.com'self'
object-src 'none'
script-src https://b.stripecdn.comhttps://js.stripe.com'self''sha256-3aWvb9tRBjmz1OjR3n7mwiTm94+s4iki4mMZF82asmc=''sha256-5LtzXhT7UFn+GqP5pKEMGL08UNZsrzANHFEBW/mQHGw=''sha256-beLzNcen8LrazzSCRjAapoIMTgJI0osPWGNSX7aK6lc=''sha256-cCM0Z4lzGkzQnmbdVw+ouz0JRawyaKcZ4yiqzqYS7ek=''sha256-vTifGUJH6hJYTvstw4xJ4xfr/vE0ELkOV4GpCumyqfg=''sha256-KxhSaxKB5RFTQsqfRwp+zG7iLjvMrTAySqnSvWlqct0=''sha256-tMuJ8c00j54yuxogrdIJeGhNVB350dc56i969XRz/Mc=''sha256-aEFSvCaVnb2wNwuO3IzA8J44RdTKt6vms9beA7BcCYg=''sha256-0SWEc2BfR2o77i2vUiNNIrFKQkjc2Ujsr2hlfZ6oUek=''report-sample'
style-src https://b.stripecdn.com'self''unsafe-inline'
worker-src https://b.stripecdn.com'self'
upgrade-insecure-requests
report-uri https://q.stripe.com/csp-violation?q=hCK2V18NLF2RBwYriXXM8diQv8jRnzAwfBzy0TC2mySycPSB6zLGjnye7FFvf1c%3D
report-to csp
A+TLS & CertificatesTLS 1.3, 7 checks passedPASS
TLS & Certificates
TLS 1.3, 7 checks passed
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_AES_256_GCM_SHA384
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
OCSP stapling not enabled
Without stapling, the browser performs a separate OCSP roundtrip on first connection -- adding latency and leaking the visited host to the CA. Enable OCSP stapling on your TLS server.
Info::
Certificate is valid (expires in 56 days)
Got: 2026-07-02T23:59:59Z
Info::
Certificate chain has 2 certificates
Info::
Certificate uses modern signature algorithm
Got: ECDSA-SHA384
Info::
Certificate covers 2 domain(s)
Got: stripe.com, www.stripe.com
Info::
Certificate is issued by a trusted CA
Got: CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=US
HTTP/2 provides multiplexing and header compression for better performance.
Why this matters
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Without stapling, the browser performs a separate OCSP roundtrip on first connection -- adding latency and leaking the visited host to the CA. Enable OCSP stapling on your TLS server.
Why this matters
Without OCSP stapling, every first-time visitor pays an extra OCSP roundtrip — and the CA learns who's visiting your site.
Learn more ▾ ▴
OCSP stapling has the server fetch its own revocation status from the CA and attach the signed response to the TLS handshake. Without it, browsers contact the CA directly: extra latency for the user and a privacy leak (the CA sees who connected). Enable ssl_stapling on (nginx) / SSLUseStapling On (Apache) / OCSPStapling = on (Caddy auto-enables).
Source: RFC 6961 / Mozilla Server-Side TLS guide
Connection
Protocol
TLS 1.3
Cipher Suite
TLS_AES_256_GCM_SHA384
HTTP Version
HTTP/1.1
Certificate Chain
Leaf Certificate
Subject SERIALNUMBER=4675506,CN=stripe.com,O=Stripe\, Inc,L=South San Francisco,ST=California,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553Issuer CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=USValid 2026-03-04T00:00:00Z → 2026-07-02T23:59:59ZExpires in 56 days SANs stripe.com, www.stripe.comSignature ECDSA-SHA384Serial 736f4a9d3c221d471453e50c91d11fd
Intermediate (CA Certificate)
Subject CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1,O=DigiCert Inc,C=USIssuer CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=USValid 2021-04-14T00:00:00Z → 2031-04-13T23:59:59ZExpires in 1802 days Signature ECDSA-SHA384Serial b00e92d4d6d731fca3059c7cb1e1886
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
JS Library Vulnerabilities
No known vulnerabilities
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
Information Leakage
No exposures
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✗ Exposed | Security Policy | Info |
ATransport SecurityHTTP/3, HSTS, and TLS version analysisPASS
Transport Security
HTTP/3, HSTS, and TLS version analysis
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (includeSubDomains, preload)
Info::
HSTS preload enabled
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.