Security - https://stelgano.com BeaverCheck Audit

F

Email Security

Action

No DMARC

FIX

No DMARC

No DMARC record found

Without DMARC, email receivers have no policy for handling authentication failures.

DMARC

No DMARC record found

Without DMARC, email receivers have no policy for handling authentication failures from your domain.

Without DMARC, email receivers have no policy for handling authentication failures.

Why this matters

Without DMARC, anyone can send phishing emails using your domain name.

Learn more ▾

DMARC tells receiving mail servers what to do with email that fails SPF/DKIM checks for your domain. With a strict 'p=reject' policy, spoofed emails get bounced; without it they reach the inbox. Domains used in phishing campaigns lose deliverability and brand trust fast.

Source: DMARC.org / NIST

B

Permissions-Policy

4 directives, 1 missing

REVIEW

4 directives, 1 missing

camera=() — blocked for all origins

microphone=() — blocked for all origins

geolocation=() — blocked for all origins

payment=() — blocked for all origins

usb not restricted

Consider adding usb=() to block usb access from embedded content.

Raw Header

camera=() microphone=() geolocation=() payment=()

Feature Permissions

Blocked Self Only Unrestricted Not Set

camera Blocked

microphone Blocked

geolocation Blocked

payment Blocked

usb Not Set

B

CORS Configuration

No CORS headers

REVIEW

No CORS headers

No CORS headers present — secure default

CORS Configuration ✓ Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control

B

security.txt

Published with 2 contact(s)

REVIEW

security.txt

Contact: mailto:security@stelgano.com, https://github.com/stelgano/stelgano/security/advisories/new

Expires: 2027-01-01T00:00:00.000Z

Encryption: https://stelgano.com/.well-known/security-pgp.asc

Policy: https://stelgano.com/.well-known/security.txt

A+

Security Headers

10 of 10 headers properly configured

PASS

10 of 10 headers properly configured

Strict-Transport-Security is properly configured

Got: max-age=63072000; includeSubDomains; preload

X-Content-Type-Options is properly configured

Got: nosniff

X-Frame-Options is properly configured

Got: SAMEORIGIN

Referrer-Policy is properly configured

Got: strict-origin-when-cross-origin

Permissions-Policy is set

Got: camera=(), microphone=(), geolocation=(), payment=()

Content-Security-Policy is present

Got: default-src 'self'; script-src 'self' 'nonce-ArkjfeTOiuV4zgq7RrSjbonK'; style-sr…

Cross-Origin-Opener-Policy is properly configured

Got: same-origin

Cross-Origin-Embedder-Policy is set

Got: same-origin

X-Powered-By header is not present

Server header is not present

A+

Content Security Policy

8 of 10 CSP checks passed

PASS

8 of 10 CSP checks passed

Raw CSP policy

Got: default-src 'self'; script-src 'self' 'nonce-ArkjfeTOiuV4zgq7RrSjbonK'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' wss: ws:; img-src 'self' data:; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

default-src directive is set

Got: default-src 'self'

No 'unsafe-inline' in script source

No 'unsafe-eval' in script source

No wildcard in script source

object-src is set to 'none'

Got: object-src 'none'

base-uri is properly restricted

Got: base-uri 'self'

frame-ancestors directive is set

Got: frame-ancestors 'none'

form-action directive is set

Got: form-action 'self'

upgrade-insecure-requests is not set

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more ▾

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

Parsed Policy

default-src 'self'

script-src 'self''nonce-ArkjfeTOiuV4zgq7RrSjbonK'

style-src 'self''unsafe-inline'

font-src 'self'

connect-src 'self'wss:ws:

img-src 'self'data:

object-src 'none'

frame-ancestors 'none'

base-uri 'self'

form-action 'self'

A+

TLS & Certificates

TLS 1.3, 7 checks passed

PASS

TLS 1.3, 7 checks passed

TLS 1.3 is used

Got: TLS 1.3

Strong cipher suite is used

Got: TLS_AES_128_GCM_SHA256

HTTP/2 is not negotiated

HTTP/2 provides multiplexing and header compression for better performance.

Got: http/1.1

Certificate is valid (expires in 84 days)

Got: 2026-07-17T23:31:15Z

Certificate chain has 2 certificates

Certificate uses modern signature algorithm

Got: ECDSA-SHA384

Certificate covers 1 domain(s)

Got: stelgano.com

Certificate is issued by a trusted CA

Got: CN=E7,O=Let's Encrypt,C=US

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more ▾

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection

Protocol

TLS 1.3

Cipher Suite

TLS_AES_128_GCM_SHA256

HTTP Version

HTTP/1.1

Certificate Chain

Leaf Certificate

Subject CN=stelgano.comIssuer CN=E7,O=Let's Encrypt,C=USValid 2026-04-18T23:31:16Z → 2026-07-17T23:31:15ZExpires in 84 days SANs stelgano.comSignature ECDSA-SHA384Serial 6cf8f7570d6b20646bede72cb34b3322976

Intermediate (CA Certificate)

Subject CN=E7,O=Let's Encrypt,C=USIssuer CN=ISRG Root X1,O=Internet Security Research Group,C=USValid 2024-03-13T00:00:00Z → 2027-03-12T23:59:59ZExpires in 322 days Signature SHA256-RSASerial aa75f1e62b8f0a220966d38bbfd4baa1

A+

Cookie Security

1 cookies analyzed, 3 checks passed

PASS

1 cookies analyzed, 3 checks passed

Cookie '_stelgano_key' has the Secure flag

Cookie '_stelgano_key' has the HttpOnly flag

Cookie '_stelgano_key' has SameSite=Lax

1 cookies analyzed

Name	Secure	HttpOnly	SameSite	Size	Issues
_stelgano_key	✓	✓	Lax	133 B	—

A+

Subresource Integrity

No external resources

PASS

No external resources

No external resources to protect

SRI Coverage No external resources — SRI not applicable

A+

JS Library Vulnerabilities

No known vulnerabilities

PASS

No known vulnerabilities

No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+

Information Leakage

No exposures

PASS

No exposures

security.txt is present — good practice

No sensitive files exposed

No sensitive files exposed — all paths returned 404.

Path	Status	Category	Risk
/.git/HEAD	✓ Not found	Version Control	—
/.git/config	✓ Not found	Version Control	—
/.svn/entries	✓ Not found	Version Control	—
/.env	✓ Not found	Configuration	—
/.env.local	✓ Not found	Configuration	—
/.env.production	✓ Not found	Configuration	—
/wp-config.php	✓ Not found	Configuration	—
/.htaccess	✓ Not found	Configuration	—
/phpinfo.php	✓ Not found	Debug	—
/server-status	✓ Not found	Debug	—
/server-info	✓ Not found	Debug	—
/.well-known/security.txt	✗ Exposed	Security Policy	Info

A+

Transport Security

HTTP/3, HSTS, and TLS version analysis

PASS

HTTP/3, HSTS, and TLS version analysis

HTTP/3 (QUIC) supported

The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.

HSTS enabled (includeSubDomains, preload)

HSTS preload enabled

TLS 1.3 in use (fastest handshake, 1-RTT)