Skip to content
https://thestar.com

Security

· 13 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
73
GRADE
C
FIX
4
REVIEW
4
PASS
5
INFO
0
Checks
13
5 PASS 4 REVIEW 4 FIX
D
Subresource Integrity
Action
2 of 115 external resources have SRI
FIX
2 of 115 external resources have SRI
Warning::
External script from ct.pinterest.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://ct.pinterest.com/static/ct/token_create.js
Warning::
External script from www.youtube.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.youtube.com/s/player/1bb6ee63/www-widgetapi.vflset/www-widgetapi.js
Warning::
External script from cdn.segment.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.segment.com/analytics.js/v1/N4fBVOicgUFz4iwge6yVvB9PJGQcEwtp/analytics.min.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-4T2EB147B8&cx=c&gtm=4e64h1
Warning::
External script from s.pinimg.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s.pinimg.com/ct/lib/main.10d2511a.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-6FZFMVVWVN&cx=c&gtm=4e64h1
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-B4CQN4KW3R&cx=c&gtm=4e64h1
Warning::
External script from unpkg.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://unpkg.com/web-vitals/dist/web-vitals.iife.js
Warning::
External script from launchpad.privacymanager.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://launchpad.privacymanager.io/latest/launchpad.bundle.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=DC-14475035&cx=c&gtm=4e64h1
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=AW-698108511&cx=c&gtm=4e64h1
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-WXMV2VZ&gtm=4e64h1
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-5MTD44X&gtm=4e64h1
Info::
script from www.gstatic.com has SRI protection
Warning::
External script from tag.rmp.rakuten.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://tag.rmp.rakuten.com/126773.ct.js
Warning::
External script from s.pinimg.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s.pinimg.com/ct/core.js
Warning::
External script from bat.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //bat.bing.com/bat.js
Warning::
External script from snap.licdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://snap.licdn.com/li.lms-analytics/insight.min.js
Warning::
External script from www.redditstatic.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.redditstatic.com/ads/pixel.js
Warning::
External script from static.ads-twitter.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //static.ads-twitter.com/uwt.js
Warning::
External script from connect.facebook.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://connect.facebook.net/signals/config/549886031832745?v=2.9.303&r=stable&domain=www.thestar.com&hme=97937018cefade17726f0472876fc101316b2ce9008a35a6a5a7977d7436151a&ex_m=104%2C205%2C154%2C22%2C72%2C73%2C145%2C68%2C67%2C11%2C162%2C90%2C16%2C138%2C127%2C39%2C75%2C78%2C134%2C159%2C164%2C8%2C4%2C5%2C7%2C6%2C3%2C91%2C101%2C165%2C170%2C219%2C62%2C186%2C187%2C55%2C276%2C30%2C74%2C231%2C230%2C229%2C23%2C33%2C103%2C61%2C10%2C63%2C97%2C98%2C99%2C105%2C130%2C31%2C29%2C132%2C133%2C129%2C128%2C155%2C76%2C158%2C156%2C157%2C50%2C60%2C123%2C15%2C161%2C45%2C263%2C264%2C262%2C26%2C27%2C28%2C48%2C146%2C77%2C112%2C18%2C20%2C44%2C40%2C42%2C41%2C83%2C92%2C96%2C110%2C144%2C147%2C46%2C111%2C24%2C21%2C119%2C69%2C36%2C149%2C148%2C150%2C141%2C139%2C25%2C35%2C59%2C109%2C160%2C70%2C17%2C152%2C114%2C81%2C66%2C19%2C85%2C86%2C116%2C84%2C136%2C135%2C34%2C278%2C293%2C212%2C201%2C202%2C200%2C296%2C288%2C52%2C213%2C107%2C131%2C80%2C121%2C54%2C47%2C49%2C113%2C120%2C126%2C58%2C64%2C151%2C115%2C37%2C32%2C53%2C56%2C100%2C163%2C1%2C124%2C14%2C122%2C12%2C2%2C57%2C93%2C65%2C118%2C89%2C88%2C166%2C167%2C94%2C95%2C9%2C125%2C102%2C51%2C142%2C87%2C79%2C71%2C117%2C106%2C43%2C143%2C0%2C82%2C137%2C140%2C153%2C38%2C108%2C13%2C168
Warning::
External script from connect.facebook.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //connect.facebook.net/en_US/fbevents.js
Warning::
External script from sdk.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sdk.mrf.io/statics/marfeel-sdk.es5.js?id=7469
Warning::
External script from sdk.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sdk.mrf.io/statics/marfeel-sdk.js?id=7469
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-WRSZQF8&gtm_auth=74eL4wQLYRNQ18AwQITlNA&gtm_preview=env-1&gtm_cookies_win=x
Info::
script from www.gstatic.com has SRI protection
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-PDQV3N
Warning::
External script from www.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.google.com/recaptcha/enterprise.js?render=6LdF3BEhAAAAAEQUmLciJe0QwaHESwQFc2vwCWqh
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/jquery/resources/scripts/jquery.min.d6d18fcf88750a16d256e72626e676a6.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/bootstrap/resources/scripts/bootstrap.min.d457560d3dfbf1d56a225eb99d7b0702.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/plugins/resources/scripts/common.08a61544f369cc43bf02e71b2d10d49f.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/template/resources/scripts/tnt.c7cd232a9076c196b2102839f349c060.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/template/resources/scripts/application.0758030105fdd3a70dff03f4da4530e2.js
Warning::
External script from btloader.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://btloader.com/tag?o=5071905434894336&upapi=true&async=true
Warning::
External script from c.webtrends-optimize.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //c.webtrends-optimize.com/acs/accounts/cfa16dfe-2c13-4c6e-8cb4-c532d090eb72/js/wt.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/scripts/edition-selector.js?_dc=1776274409
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/scripts/footer.nav.js?_dc=1776274409
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/template/resources/scripts/tnt.navigation.accessibility.7a9170240d21440159b9bd59db72933b.js
Warning::
External script from securepubads.g.doubleclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Warning::
External script from micro.rubiconproject.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //micro.rubiconproject.com/prebid/dynamic/18488.js
Warning::
External script from config.aps.amazon-adsystem.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://config.aps.amazon-adsystem.com/configs/5028
Warning::
External script from client.aps.amazon-adsystem.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://client.aps.amazon-adsystem.com/publisher.js
Warning::
External script from c.webtrends-optimize.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //c.webtrends-optimize.com/acs/common/js/5.4/sizzle.min.js
Warning::
External script from c.webtrends-optimize.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //c.webtrends-optimize.com/acs/common/js/5.4/common.js
Warning::
External script from c.webtrends-optimize.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //c.webtrends-optimize.com/acs/common/js/5.4/wt_debugger.js
Warning::
External script from c.webtrends-optimize.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://c.webtrends-optimize.com/acs/common/js/7.0/wt_lib.js
Warning::
External script from config.aps.amazon-adsystem.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://config.aps.amazon-adsystem.com/configs/5028
Warning::
External script from www.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.google.com/recaptcha/api.js?render=explicit
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/ads/resources/scripts/tnt.ads.adverts.66a3812a7b5c12fde8cd998fd691ad7d.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/scripts/save.asset.js?_dc=1776274409
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/plugins/resources/scripts/fontawesome.2d2bffd5ae1ad5a87314065b9bf6fb87.js
Warning::
External script from tags.crwdcntrl.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://tags.crwdcntrl.net/lt/c/17837/lt.min.js
Warning::
External script from accounts.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://accounts.google.com/gsi/client
Warning::
External script from news.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://news.google.com/swg/js/v1/swg.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://resources.thestar.com/cf7f3d5747a0/55637cf57ed4/launch-9387fe3a1e9f.min.js
Warning::
External link from fonts.googleapis.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fonts.googleapis.com/css2?family=STIX+Two+Text:ital,wght@0,500;0,600;0,700;1,500;1,600;1,700&family=Frank+Ruhl+Libre:wght@300;400;500;600;700;800;900&family=Merriweather+Sans:ital,wght@0,400;0,500;0,600;0,700;0,800;1,400;1,500;1,600;1,700;1,800&display=swap
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/navigation.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/pages.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/blocks.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/utilities.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/global.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/threecolheader.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/stn.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/common/storypacks.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/common/utilities.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/common/user-controls.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/common/icons.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/staronly.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/site/resources/styles/site.css?_dc=1671043982
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/oovvuu.css?_dc=1776274407
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/daily/primis.css?_dc=1776274407
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/hostedLibFiles/EP31dbb9c60e404ba1aa6e746d49be6f29/AppMeasurement.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/hostedLibFiles/EP31dbb9c60e404ba1aa6e746d49be6f29/AppMeasurement_Module_ActivityMap.min.js
Warning::
External script from launchpad-wrapper.privacymanager.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://launchpad-wrapper.privacymanager.io/93108f94-c2ee-4a3a-a287-26652cd33617/launchpad-liveramp.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RCb8f42e37a09e4196aa7117720f82f551-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RC5a3fb3025b4a48948d3bcd486c7cf5ed-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RC878900729ecb4cc3bd33f717afe65ffb-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RCd4feb75b19a24c0ab8a775b5e615c54b-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RCaff287376a134ea9a114533c03f180dd-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RCf33a1ce818084762aaa44a3156b300bc-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RC3c522b5001a44380bcddcb3a9180058b-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RC65c93b04810445cbbd9451a6ca65d82c-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RCc907d78644e948cb98b4b65f8f051c4a-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RC61156c70f4fa40a0a3ca7a07b2dc3e8a-source.min.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=AW-698108511
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=DC-14475035
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RCc2c2f8247419439b9fdf13603f96b1b3-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RC0d95931feac54b958c37a3531b5cc80c-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RC6773fca2518f4482ba25a40f7ca0da6d-source.min.js
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RCe4d88b33a2934c69b45b41719749a449-source.min.js
Warning::
External script from securepubads.g.doubleclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://securepubads.g.doubleclick.net/pagead/managed/js/gpt/m202604170101/pubads_impl.js?cb=31097946
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RCdddaff6ddaa24ef2bc1f56ce437cbd29-source.min.js
Warning::
External link from news.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://news.google.com/swg/js/v1/swg-button.css
Warning::
External script from data-sales.ccgateway.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://data-sales.ccgateway.net/data-sales-tag/v1/parent/4bf40680f5/script?domain=www.thestar.com
Warning::
External script from resources.thestar.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //resources.thestar.com/cf7f3d5747a0/55637cf57ed4/2346faba292a/RC36ac8ee5dd6745ca938267be8363ee38-source.min.js
Warning::
External script from sdk.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sdk.mrf.io/statics/compass-multimedia-sdk.js?version=2260
Warning::
External script from sdk.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sdk.mrf.io/statics/compass-multimedia-sdk.es5.js?version=2260
Warning::
External script from cdn-p.cityspark.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //cdn-p.cityspark.com/wid/12722.jsx?b=592267251&on=aHR0cHM6Ly93d3cudGhlc3Rhci5jb20v&callback=jsonp12722
Warning::
External script from www.youtube.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.youtube.com/iframe_api
Warning::
External script from bat.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bat.bing.com/p/action/13008914.js
Warning::
External script from fundingchoicesmessages.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fundingchoicesmessages.google.com/i/58580620?ers=3
Warning::
External script from googleads.g.doubleclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://googleads.g.doubleclick.net/pagead/viewthroughconversion/698108511/?random=1776801755570&cv=11&fst=1776801755570&bg=ffffff&guid=ON&async=1&en=gtag.config&gtm=45be64h1v867836103za200zb72758733zd72758733xec&gcd=13l3l3l3l1l1&dma=0&tag_exp=0~115938465~115938468~117266401&u_w=800&u_h=600&url=https%3A%2F%2Fwww.thestar.com%2F&rcb=8&frm=0&tiba=Breaking%20News%20-%20Headlines%20%26%20Top%20Stories%20%7C%20The%20Star&hn=www.googleadservices.com&npa=0&pscdl=noapi&auid=906045121.1776801755&uaa=x86&uab=64&uafvl=Not-A.Brand%3B24.0.0.0%7CChromium%3B146.0.7680.164&uamb=0&uam=&uap=Linux&uapv=&uaw=0&data=event%3Dgtag.config&rfmt=3&fmt=4
Warning::
External script from fundingchoicesmessages.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fundingchoicesmessages.google.com/f/AGSKWxW0VzKGHK_FZZRE3BU9yrecOuGjZCZsoZXTo3vpQ4V68x3ulswMcx8l2OqaJA_ZS9OYVqJfNwO72ScwcqgLcZ3flgVixdXYJbZFUdnBVRF_pHuzHmwDiv3wJ73Q1OQskMbSKG_EVw==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzc2ODAxNzU3LDI2NTAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzddXSwiaHR0cHM6Ly93d3cudGhlc3Rhci5jb20vIixudWxsLFtbOCwiRHNLR04tcXFmclEiXSxbOSwiZW4tVVMiXSxbMTgsIltbW251bGwsMjgwNF1dXSJdLFszNSwiMTc3NjgwMTc1NyJdLFsxOSwiMiJdLFsxNywiWzBdIl0sWzI0LCIiXSxbMjUsIltbOTUzNDAyNTMsOTUzNDAyNTVdXSJdLFsyOSwiZmFsc2UiXV1d
Warning::
External script from oa.openxcdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://oa.openxcdn.net/esp.js
Warning::
External script from cdn.id5-sync.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.id5-sync.com/api/1.0/esp.js
Warning::
External script from fundingchoicesmessages.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fundingchoicesmessages.google.com/f/AGSKWxUyr_tWUl6pnpA69g-rK7e3FjN77rsMAV9nwgWsTVzMA2fnKPiM33A_q2eAM7zzjDLxv8h_7kOtZU_AaAzWV2Bl20UZa9gkUWszyB7w3RQ6g6r2c9MmsETkNQlJPNcdW6GxYUrA6g==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzc2ODAxNzU3LDYyNzAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOV0sbnVsbCwyLG51bGwsImVuIl0sImh0dHBzOi8vd3d3LnRoZXN0YXIuY29tLyIsbnVsbCxbWzgsIkRzS0dOLXFxZnJRIl0sWzksImVuLVVTIl0sWzE4LCJbW1tudWxsLDI4MDRdXV0iXSxbMzUsIjE3NzY4MDE3NTciXSxbMTksIjIiXSxbMTcsIlswXSJdLFsyNCwiIl0sWzI1LCJbWzk1MzQwMjUzLDk1MzQwMjU1XV0iXSxbMjksImZhbHNlIl1dXQ
Warning::
External script from cdn.cityspark.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //cdn.cityspark.com/wid/get.js
Warning::
External link from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/styles/common/subscription-landing.css?_dc=1776274407
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/scripts/newsletter-helper.min.js?_dc=1776274409
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/template/resources/scripts/tnt.errors.log.gtm.ff9df6708e2dbc9da79fbefae5491221.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/ads/resources/scripts/tnt.ads.core.9d39a5cf1d944aca793cec64b465c450.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/plugins/resources/scripts/sticky-kit.cd42d35abf643b0a78798fe03bf6bc83.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/shared-content/art/tncms/templates/libraries/flex/components/template/resources/scripts/tnt.regions.e7df22f20c42105cce5864da9e346f48.js
Warning::
External script from bloximages.chicago2.vip.townnews.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://bloximages.chicago2.vip.townnews.com/thestar.com/content/tncms/live/libraries/flex/components/torstar_core/resources/scripts/promo_popup.min.js?_dc=1776274409
Warning::
External script from cdn.viafoura.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //cdn.viafoura.net/entry/index.js
SRI Coverage 2 / 115 of external resources have integrity hashes
TagDomainIntegrity
<script>ct.pinterest.com Missing
<script>www.youtube.com Missing
<script>cdn.segment.com Missing
<script>www.googletagmanager.com Missing
<script>s.pinimg.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>unpkg.com Missing
<script>launchpad.privacymanager.io Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>www.gstatic.com Protected
<script>tag.rmp.rakuten.com Missing
<script>s.pinimg.com Missing
<script>bat.bing.com Missing
<script>snap.licdn.com Missing
<script>www.redditstatic.com Missing
<script>static.ads-twitter.com Missing
<script>connect.facebook.net Missing
<script>connect.facebook.net Missing
<script>sdk.mrf.io Missing
<script>sdk.mrf.io Missing
<script>www.googletagmanager.com Missing
<script>www.gstatic.com Protected
<script>www.googletagmanager.com Missing
<script>www.google.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>btloader.com Missing
<script>c.webtrends-optimize.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>securepubads.g.doubleclick.net Missing
<script>micro.rubiconproject.com Missing
<script>config.aps.amazon-adsystem.com Missing
<script>client.aps.amazon-adsystem.com Missing
<script>c.webtrends-optimize.com Missing
<script>c.webtrends-optimize.com Missing
<script>c.webtrends-optimize.com Missing
<script>c.webtrends-optimize.com Missing
<script>config.aps.amazon-adsystem.com Missing
<script>www.google.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>tags.crwdcntrl.net Missing
<script>accounts.google.com Missing
<script>news.google.com Missing
<script>resources.thestar.com Missing
<link>fonts.googleapis.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>launchpad-wrapper.privacymanager.io Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>resources.thestar.com Missing
<script>securepubads.g.doubleclick.net Missing
<script>resources.thestar.com Missing
<link>news.google.com Missing
<script>data-sales.ccgateway.net Missing
<script>resources.thestar.com Missing
<script>sdk.mrf.io Missing
<script>sdk.mrf.io Missing
<script>cdn-p.cityspark.com Missing
<script>www.youtube.com Missing
<script>bat.bing.com Missing
<script>fundingchoicesmessages.google.com Missing
<script>googleads.g.doubleclick.net Missing
<script>fundingchoicesmessages.google.com Missing
<script>oa.openxcdn.net Missing
<script>cdn.id5-sync.com Missing
<script>fundingchoicesmessages.google.com Missing
<script>cdn.cityspark.com Missing
<link>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>bloximages.chicago2.vip.townnews.com Missing
<script>cdn.viafoura.net Missing
D
Email Security
Action
DMARC: none
FIX
DMARC: none
Warning::
DMARC policy is none — monitoring only
This only monitors, it doesn't block spoofed emails. Change to p=quarantine or p=reject.
DMARC
Policy none — monitoring only, does not block spoofing Record v=DMARC1; p=none; rua=mailto:6031e5d56c20667@rep.dmarcanalyzer.com; ruf=mailto:6031e5d56c20667@for.dmarcanalyzer.com; fo=1;

This only monitors, it doesn't block spoofed emails. Change to p=quarantine or p=reject.

Why this matters

DMARC p=none collects reports but doesn't actually block spoofed mail — phishing emails still reach inboxes.

Learn more

DMARC's three policies are p=none (monitor only), p=quarantine (mark as spam), and p=reject (bounce). Most domains start at p=none to gather data, but stay there forever, leaving spoofers unblocked. After 30 days of clean DMARC reports, graduate to p=quarantine, then p=reject.

Source: DMARC.org / NIST

D
Permissions-Policy
Action
No header set
FIX
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
D
security.txt
Action
No /.well-known/security.txt published
FIX

security.txt

No security.txt found at /.well-known/security.txt

B
Security Headers
6 of 10 headers properly configured
REVIEW
6 of 10 headers properly configured
Warning::
HSTS is missing includeSubDomains
Without includeSubDomains, subdomains can still be accessed over HTTP.
Got: max-age=31536000 Expected: max-age=31536000; includeSubDomains
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Info::
Referrer-Policy is properly configured
Got: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: upgrade-insecure-requests
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is not present

Without includeSubDomains, subdomains can still be accessed over HTTP.

Expected: max-age=31536000; includeSubDomains
Why this matters

Without includeSubDomains, a forgotten dev subdomain over HTTP can set malicious cookies that ride to the apex.

Learn more

HSTS without includeSubDomains protects only the exact domain. Cookies set on a non-HSTS subdomain can ride to the apex via cookie-scope attacks. The fix is one directive append. Verify all subdomains support HTTPS first — adding includeSubDomains to a domain with HTTP-only subdomains breaks them.

Source: RFC 6797

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

C
Content Security Policy
Action
2 of 10 CSP checks passed
REVIEW
2 of 10 CSP checks passed
Info::
Raw CSP policy
Got: upgrade-insecure-requests
Warning::
default-src directive is missing
default-src provides a fallback for other directives. Set it to restrict default resource loading.
Expected: default-src 'self'
Info::
No script-src or default-src to check for 'unsafe-inline'
Info::
No script-src or default-src to check for 'unsafe-eval'
Info::
No script-src or default-src to check for wildcard
Info::
object-src falls back to default-src
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Warning::
frame-ancestors directive is missing
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected: frame-ancestors 'self'
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is enabled

default-src provides a fallback for other directives. Set it to restrict default resource loading.

Expected: default-src 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'
Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

Parsed Policy

upgrade-insecure-requests
B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
C
Known vulnerability matches
Action
3 known vulnerability match(es) against detected tech
REVIEW

Known Vulnerabilities

LibraryVersionSeveritySummaryFixed In
Bootstrap3.4.1mediumBootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes3.4.2
Bootstrap3.4.1mediumImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS). This issue affects Bootstrap version 3.4.1. At time of publication, there is no publicly available patched version.3.4.2
Bootstrap3.4.1lowBootstrap before 4.0.0 is end-of-life and no longer maintained.3.999.999
A+
TLS & Certificates
TLS 1.3, 7 checks passed
PASS
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_AES_128_GCM_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 63 days)
Got: 2026-06-24T11:09:22Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 2 domain(s)
Got: thestar.com, www.thestar.com
Info::
Certificate is issued by a trusted CA
Got: CN=WR1,O=Google Trust Services,C=US

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.3
Cipher Suite
TLS_AES_128_GCM_SHA256
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=thestar.comIssuer CN=WR1,O=Google Trust Services,C=USValid 2026-03-26T11:09:23Z → 2026-06-24T11:09:22ZExpires in 63 days SANs thestar.com, www.thestar.comSignature SHA256-RSASerial f6c7cdb8d5330aa00ebc889f3088446d
Intermediate (CA Certificate)
Subject CN=WR1,O=Google Trust Services,C=USIssuer CN=GTS Root R1,O=Google Trust Services LLC,C=USValid 2023-12-13T09:00:00Z → 2029-02-20T14:00:00ZExpires in 1035 days Signature SHA256-RSASerial 7fd9e2c2d2048a0474b627a26d0868a7
Intermediate (CA Certificate)
Subject CN=GTS Root R1,O=Google Trust Services LLC,C=USIssuer CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEValid 2020-06-19T00:00:42Z → 2028-01-28T00:00:42ZExpires in 646 days Signature SHA256-RSASerial 77bd0d6cdb36f91aea210fc4f058d30d
A+
Cookie Security
No cookies set — no cookie security risks
PASS
No cookies set — no cookie security risks
Info::
No cookies set — no cookie security risks

No cookies detected — no cookie security risks to report.

A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
No security.txt found
Consider adding a security.txt at /.well-known/security.txt.
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt Not foundSecurity Policy
A
Transport Security
HTTP/3, HSTS, and TLS version analysis
PASS
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (base policy)
Info::
HSTS missing includeSubDomains
Without includeSubDomains, HSTS only protects the exact domain.
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback