Security

· 13 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.

SCORE

GRADE

FIX

REVIEW

PASS

INFO

Checks

5 PASS 5 REVIEW 3 FIX

Content Security Policy

Action

2 of 11 CSP checks passed

FIX

2 of 11 CSP checks passed

Raw CSP policy

Got: default-src data: 'self' 'unsafe-inline' 'unsafe-eval' ok.ru *.ok.ru odnoklassniki.ru *.odnoklassniki.ru okcdn.ru http://*.okcdn.ru https://*.okcdn.ru mycdn.me http://*.mycdn.me https://*.mycdn.me http://st-ok.cdn-vk.ru https://st-ok.cdn-vk.ru http://st-ok-pts.cdn-vk.ru https://st-ok-pts.cdn-vk.ru wss://ad.mail.ru *.mail.ru *.imgsmail.ru *.mradx.net *.serving-sys.com *.googleapis.com *.gstatic.com www.google.com https://api-maps.yandex.ru yastatic.net yandex.st *.doubleverify.com *.adsafeprotected.com https://cdn.consentmanager.net https://football.sportmail.ru *.google.ru *.google.com *.googlesyndication.com *.yandex.ru static.dzeninfra.ru connect.ok.ru https://connect.ok.ru blob:; script-src 'unsafe-inline' 'unsafe-eval' *.mail.ru https://*.mail.ru *.imgsmail.ru *.mradx.net ok.ru *.ok.ru odnoklassniki.ru *.odnoklassniki.ru okcdn.ru http://*.okcdn.ru https://*.okcdn.ru http://st-ok.cdn-vk.ru https://st-ok.cdn-vk.ru http://st-ok-pts.cdn-vk.ru https://st-ok-pts.cdn-vk.ru mycdn.me http://*.mycdn.me https://*.mycdn.me mc.yandex.ru an.yandex.ru yastatic.net yandex.st *.google-analytics.com api-maps.yandex.ru https://api-maps.yandex.ru https://clck.yandex.ru *.googleapis.com *.gstatic.com www.google.com www.youtube.com https://www.youtube.com *.ytimg.com https://*.ytimg.com *.doubleverify.com *.dvtps.com *.doubleclick.net *.googletagservices.com *.googlesyndication.com *.googleadservices.com *.goodgame.ru https://*.goodgame.ru https://*.moatads.com *.adlooxtracking.com *.adlooxtracking.ru *.adsafeprotected.com *.serving-sys.com *.serving-sys.ru *.weborama.fr *.weborama-tech.ru https://enterprise.api-maps.yandex.ru https://suggest-maps.yandex.ru https://*.hit.gemius.pl https://*.consentmanager.net https://gum.criteo.com https://football.sportmail.ru *.googletagmanager.com connect.facebook.net *.google.ru *.google.com *.googlesyndication.com yandex.ru static.dzeninfra.ru *.adtrafficquality.google; worker-src blob: 'self'; connect-src * wss: blob: data:; font-src * data: blob:; frame-src * blob: 'self'; img-src * data: blob: about:; media-src * data: blob:; object-src *; report-uri /csp/report;

default-src directive is set

'unsafe-inline' found in script source

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Got: script-src 'unsafe-inline' 'unsafe-eval' *.mail.ru https://*.mail.ru *.imgsmail.ru *.mradx.net ok.ru *.ok.ru odnoklassniki.ru *.odnoklassniki.ru okcdn.ru http://*.okcdn.ru https://*.okcdn.ru http://st-ok.cdn-vk.ru https://st-ok.cdn-vk.ru http://st-ok-pts.cdn-vk.ru https://st-ok-pts.cdn-vk.ru mycdn.me http://*.mycdn.me https://*.mycdn.me mc.yandex.ru an.yandex.ru yastatic.net yandex.st *.google-analytics.com api-maps.yandex.ru https://api-maps.yandex.ru https://clck.yandex.ru *.googleapis.com *.gstatic.com www.google.com www.youtube.com https://www.youtube.com *.ytimg.com https://*.ytimg.com *.doubleverify.com *.dvtps.com *.doubleclick.net *.googletagservices.com *.googlesyndication.com *.googleadservices.com *.goodgame.ru https://*.goodgame.ru https://*.moatads.com *.adlooxtracking.com *.adlooxtracking.ru *.adsafeprotected.com *.serving-sys.com *.serving-sys.ru *.weborama.fr *.weborama-tech.ru https://enterprise.api-maps.yandex.ru https://suggest-maps.yandex.ru https://*.hit.gemius.pl https://*.consentmanager.net https://gum.criteo.com https://football.sportmail.ru *.googletagmanager.com connect.facebook.net *.google.ru *.google.com *.googlesyndication.com yandex.ru static.dzeninfra.ru *.adtrafficquality.google

'unsafe-eval' found in script source

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

No wildcard in script source

object-src allows plugin content

Set object-src to 'none' to prevent Flash/Java plugin exploits.

Got: object-src * Expected: object-src 'none'

base-uri directive is missing

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'

frame-ancestors directive is missing

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

form-action directive is missing

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'

upgrade-insecure-requests is not set

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

Content-Security-Policy-Report-Only is also set

A report-only policy is active alongside the enforcing policy for monitoring.

Got: default-src data: blob: about: 'self' 'unsafe-inline' 'unsafe-eval' https: wss:; report-uri /csp/report?always;

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more ▾

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more ▾

Source: OWASP CSP / MDN

Set object-src to 'none' to prevent Flash/Java plugin exploits.

Expected: object-src 'none'

Why this matters

object-src open in CSP allows Flash/PDF/plugin embedding — a now-deprecated attack vector that should be explicitly blocked.

Learn more ▾

object-src controls <object>, <embed>, and <applet> elements. Modern sites have no need for plugins; setting `object-src 'none'` blocks an entire class of legacy XSS vectors at zero cost. If your CSP missed it, add the directive.

Source: MDN CSP

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'

Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more ▾

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more ▾

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

A report-only policy is active alongside the enforcing policy for monitoring.

Why this matters

Running enforcing + Report-Only in parallel lets you test stricter directives safely before promoting them.

Source: MDN CSP

Parsed Policy

default-src data:'self''unsafe-inline''unsafe-eval'ok.ru*.ok.ruodnoklassniki.ru*.odnoklassniki.ruokcdn.ruhttp://*.okcdn.ruhttps://*.okcdn.rumycdn.mehttp://*.mycdn.mehttps://*.mycdn.mehttp://st-ok.cdn-vk.ruhttps://st-ok.cdn-vk.ruhttp://st-ok-pts.cdn-vk.ruhttps://st-ok-pts.cdn-vk.ruwss://ad.mail.ru*.mail.ru*.imgsmail.ru*.mradx.net*.serving-sys.com*.googleapis.com*.gstatic.comwww.google.comhttps://api-maps.yandex.ruyastatic.netyandex.st*.doubleverify.com*.adsafeprotected.comhttps://cdn.consentmanager.nethttps://football.sportmail.ru*.google.ru*.google.com*.googlesyndication.com*.yandex.rustatic.dzeninfra.ruconnect.ok.ruhttps://connect.ok.rublob:

script-src 'unsafe-inline''unsafe-eval'*.mail.ruhttps://*.mail.ru*.imgsmail.ru*.mradx.netok.ru*.ok.ruodnoklassniki.ru*.odnoklassniki.ruokcdn.ruhttp://*.okcdn.ruhttps://*.okcdn.ruhttp://st-ok.cdn-vk.ruhttps://st-ok.cdn-vk.ruhttp://st-ok-pts.cdn-vk.ruhttps://st-ok-pts.cdn-vk.rumycdn.mehttp://*.mycdn.mehttps://*.mycdn.memc.yandex.ruan.yandex.ruyastatic.netyandex.st*.google-analytics.comapi-maps.yandex.ruhttps://api-maps.yandex.ruhttps://clck.yandex.ru*.googleapis.com*.gstatic.comwww.google.comwww.youtube.comhttps://www.youtube.com*.ytimg.comhttps://*.ytimg.com*.doubleverify.com*.dvtps.com*.doubleclick.net*.googletagservices.com*.googlesyndication.com*.googleadservices.com*.goodgame.ruhttps://*.goodgame.ruhttps://*.moatads.com*.adlooxtracking.com*.adlooxtracking.ru*.adsafeprotected.com*.serving-sys.com*.serving-sys.ru*.weborama.fr*.weborama-tech.ruhttps://enterprise.api-maps.yandex.ruhttps://suggest-maps.yandex.ruhttps://*.hit.gemius.plhttps://*.consentmanager.nethttps://gum.criteo.comhttps://football.sportmail.ru*.googletagmanager.comconnect.facebook.net*.google.ru*.google.com*.googlesyndication.comyandex.rustatic.dzeninfra.ru*.adtrafficquality.google

worker-src blob:'self'

connect-src *wss:blob:data:

font-src *data:blob:

frame-src *blob:'self'

img-src *data:blob:about:

media-src *data:blob:

object-src *

report-uri /csp/report

Subresource Integrity

Action

0 of 252 external resources have SRI

FIX

0 of 252 external resources have SRI

External script from yandex.ru lacks integrity attribute