Security - https://gitlab.com/users/sign

F

Subresource Integrity

Action

0 of 1 external resources have SRI

FIX

0 of 1 external resources have SRI

External script from challenges.cloudflare.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://challenges.cloudflare.com/turnstile/v0/g/fe6331af5207/api.js?onload=kwkA1&render=explicit

SRI Coverage 0 / 1 of external resources have integrity hashes

Tag	Domain	Integrity
<script>	challenges.cloudflare.com	✗ Missing

C

Content Security Policy

Action

6 of 10 CSP checks passed

REVIEW

6 of 10 CSP checks passed

Raw CSP policy

Got: default-src 'none'; script-src 'nonce-gPv4RNQAs12aQ26thmDkcZ' 'unsafe-eval' https://challenges.cloudflare.com; script-src-attr 'none'; style-src 'unsafe-inline'; img-src 'self' https://challenges.cloudflare.com; connect-src 'self' https://challenges.cloudflare.com; frame-src 'self' https://challenges.cloudflare.com blob:; child-src 'self' https://challenges.cloudflare.com blob:; worker-src blob:; form-action http: https:; base-uri 'self'

default-src directive is set

Got: default-src 'none'

No 'unsafe-inline' in script source

'unsafe-eval' found in script source

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Got: script-src 'nonce-gPv4RNQAs12aQ26thmDkcZ' 'unsafe-eval' https://challenges.cloudflare.com

No wildcard in script source

object-src falls back to default-src

base-uri is properly restricted

Got: base-uri 'self'

frame-ancestors directive is missing

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

form-action directive is set

Got: form-action http: https:

upgrade-insecure-requests is not set

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more ▾

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests

Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more ▾

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

Parsed Policy

default-src 'none'

script-src 'nonce-gPv4RNQAs12aQ26thmDkcZ''unsafe-eval'https://challenges.cloudflare.com

script-src-attr 'none'

style-src 'unsafe-inline'

img-src 'self'https://challenges.cloudflare.com

connect-src 'self'https://challenges.cloudflare.com

frame-src 'self'https://challenges.cloudflare.comblob:

child-src 'self'https://challenges.cloudflare.comblob:

worker-src blob:

form-action http:https:

base-uri 'self'

B

CSP Inline-Style Readiness

2 inline style attribute(s) detected

REVIEW

2 inline style attribute(s) detected

Each `style=""` attribute forces `style-src 'unsafe-inline'` in any Content-Security-Policy, which negates most of CSP's XSS-mitigation value. 2 inline style(s) is low. Affected element types include: div. Move styles to a stylesheet; use CSS custom properties for runtime-dynamic values; or adopt a nonce/hash CSP policy. Most teams take the stylesheet path because it's also a maintainability win.

B

Trusted Types (XSS Sink Hardening)

Trusted Types not enabled

REVIEW

Trusted Types not enabled

Trusted Types (CSP3) is a Chrome 83+ defense that requires DOM-XSS sinks (innerHTML, document.write, eval, ...) to receive a typed-and-sanitized value rather than a raw string. Adding `Content-Security-Policy: require-trusted-types-for 'script'; trusted-types default` neutralizes most DOM-XSS even when a payload reaches a sink. Adoption is currently ~0.1% of pages so this is informational; a roll-out usually starts in report-only mode.

C

API Surface

Action

GraphQL introspection enabled at /api/graphql

REVIEW

GraphQL introspection enabled at /api/graphql

Introspection lets clients query the GraphQL server for its complete schema -- every type, field, argument, and resolver name. Convenient during development; on production, an attacker uses it as a free recon tool to map the entire data graph. Disable in production unless your API is intentionally public-spec.

B

CORS Configuration

No CORS headers

REVIEW

No CORS headers

No CORS headers present — secure default

CORS Configuration ✓ Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control

A

Security Headers

8 of 10 headers properly configured

PASS

8 of 10 headers properly configured

HSTS is missing includeSubDomains

Without includeSubDomains, subdomains can still be accessed over HTTP.

Got: max-age=31536000 Expected: max-age=31536000; includeSubDomains

X-Content-Type-Options is properly configured

Got: nosniff

X-Frame-Options is properly configured

Got: SAMEORIGIN

Referrer-Policy is properly configured

Got: same-origin

Permissions-Policy is set

Got: accelerometer=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=(),xr-spatial-tracking=(self)

Content-Security-Policy is present

Got: default-src 'none'; script-src 'nonce-gPv4RNQAs12aQ26thmDkcZ' 'unsafe-eval' http…

Cross-Origin-Opener-Policy header is missing

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Cross-Origin-Embedder-Policy is set

Got: require-corp

X-Powered-By header is not present

Server header is present without version info

Got: cloudflare

Domain is not in the Chrome HSTS preload list (status: unknown)

Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).

Got: unknown

Without includeSubDomains, subdomains can still be accessed over HTTP.

Expected: max-age=31536000; includeSubDomains

Why this matters

Without includeSubDomains, a forgotten dev subdomain over HTTP can set malicious cookies that ride to the apex.

Learn more ▾

HSTS without includeSubDomains protects only the exact domain. Cookies set on a non-HSTS subdomain can ride to the apex via cookie-scope attacks. The fix is one directive append. Verify all subdomains support HTTPS first — adding includeSubDomains to a domain with HTTP-only subdomains breaks them.

Source: RFC 6797

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more ▾

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).

Why this matters

Not in the Chrome preload list — first-time visitors over plain HTTP can be downgraded by a network attacker before HSTS kicks in.

Learn more ▾

The HSTS header only protects users who have already visited the site (TOFU window). Adding your domain to the Chrome preload list closes that gap so HSTS is enforced from the very first connection. Requires a preload-ready header (max-age=31536000+, includeSubDomains, preload) then submission at hstspreload.org. Inclusion ships in the next Chrome release after acceptance.

Source: hstspreload.org

A+

TLS & Certificates

TLS 1.3, 8 checks passed

PASS

TLS 1.3, 8 checks passed

TLS 1.3 is used

Got: TLS 1.3

Strong cipher suite is used

Got: TLS_CHACHA20_POLY1305_SHA256

HTTP/2 is not negotiated

HTTP/2 provides multiplexing and header compression for better performance.

Got: http/1.1

OCSP stapling enabled

Certificate is valid (expires in 185 days)

Got: 2026-11-10T23:59:59Z

Certificate chain has 4 certificates

Certificate uses modern signature algorithm

Got: SHA256-RSA

Certificate covers 6 domain(s)

Got: gitlab.com, auth.gitlab.com, customers.gitlab.com, email.customers.gitlab.com, gprd.gitlab.com, www.gitlab.com

Certificate is issued by a trusted CA

Got: CN=Sectigo Public Server Authentication CA DV R36,O=Sectigo Limited,C=GB

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more ▾

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection

Protocol

TLS 1.3

Cipher Suite

TLS_CHACHA20_POLY1305_SHA256

HTTP Version

HTTP/1.1

Certificate Chain

Leaf Certificate

Subject CN=gitlab.comIssuer CN=Sectigo Public Server Authentication CA DV R36,O=Sectigo Limited,C=GBValid 2026-04-26T00:00:00Z → 2026-11-10T23:59:59ZExpires in 185 days SANs gitlab.com, auth.gitlab.com, customers.gitlab.com, email.customers.gitlab.com, gprd.gitlab.com, www.gitlab.comSignature SHA256-RSASerial 13416ee0a6d91ca0611ba3a4ddb76f6

Intermediate (CA Certificate)

Subject CN=Sectigo Public Server Authentication CA DV R36,O=Sectigo Limited,C=GBIssuer CN=Sectigo Public Server Authentication Root R46,O=Sectigo Limited,C=GBValid 2021-03-22T00:00:00Z → 2036-03-21T23:59:59ZExpires in 3604 days Signature SHA384-RSASerial 397a66cc2756362e0daa87ca6eabe3b1

Intermediate (CA Certificate)

Subject CN=Sectigo Public Server Authentication Root R46,O=Sectigo Limited,C=GBIssuer CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USValid 2021-03-22T00:00:00Z → 2038-01-18T23:59:59ZExpires in 4272 days Signature SHA384-RSASerial d27fbbc1de359e5216ad6149586099c4

Intermediate (CA Certificate)

Subject CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USIssuer CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GBValid 2019-03-12T00:00:00Z → 2028-12-31T23:59:59ZExpires in 967 days Signature SHA384-RSASerial 3972443af922b751d7d36c10dd313595

A+

Cookie Security

No cookies set — no cookie security risks

PASS

No cookies set — no cookie security risks

No cookies detected — no cookie security risks to report.

A+

Cookie Hygiene

No cookies set -- cookie-hygiene check is N/A

PASS

No cookies set -- cookie-hygiene check is N/A

No cookies set

A

WAF / Bot Protection

Cloudflare WAF (active mitigation)

PASS

Cloudflare WAF (active mitigation)

Cloudflare WAF (active mitigation) detected

Detected via: cf-ray: 9f8fb71daaddaded-EWR; cf-mitigated: challenge

Got: Cloudflare WAF (active mitigation)

A+

security.txt

Vulnerability disclosure policy

PASS

Vulnerability disclosure policy

security.txt found

Got: https://gitlab.com/.well-known/security.txt

security.txt is PGP signed

security.txt

Contact: https://hackerone.com/gitlab/, https://about.gitlab.com/security/disclosure/

Expires: 2027-01-31T05:00:00.000Z

Policy: https://gitlab.com/.well-known/security.txt

A+

Cross-Origin Tab Safety

All 2 new-tab link(s) carry rel=noopener

PASS

All 2 new-tab link(s) carry rel=noopener

A+

Source Map Exposure

Source-map probe didn't run on this scan

PASS

Source-map probe didn't run on this scan

A+

HTML Version Disclosure

No software-version disclosures in HTML

PASS

No software-version disclosures in HTML

A+

Open Redirect Surface

No redirect-shaped query parameters in DOM links

PASS

No redirect-shaped query parameters in DOM links

A+

Subdomain Inventory Exposure

No risky subdomain names in certificate SANs

PASS

No risky subdomain names in certificate SANs

A+

JS Library Vulnerabilities

No known vulnerabilities

PASS

No known vulnerabilities

No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+

Information Leakage

No exposures

PASS

No exposures

security.txt is present — good practice

No sensitive files exposed

No sensitive files exposed — all paths returned 404.

Path	Status	Category	Risk
/.git/HEAD	✓ Not found	Version Control	—
/.git/config	✓ Not found	Version Control	—
/.svn/entries	✓ Not found	Version Control	—
/.env	✓ Not found	Configuration	—
/.env.local	✓ Not found	Configuration	—
/.env.production	✓ Not found	Configuration	—
/wp-config.php	✓ Not found	Configuration	—
/.htaccess	✓ Not found	Configuration	—
/phpinfo.php	✓ Not found	Debug	—
/server-status	✓ Not found	Debug	—
/server-info	✓ Not found	Debug	—
/.well-known/security.txt	✗ Exposed	Security Policy	Info
/package.json	✓ Not found	dependency-manifest	—
/composer.json	✓ Not found	dependency-manifest	—
/Gemfile	✓ Not found	dependency-manifest	—
/Gemfile.lock	✓ Not found	dependency-manifest	—
/requirements.txt	✓ Not found	dependency-manifest	—
/pom.xml	✓ Not found	dependency-manifest	—
/.gitlab-ci.yml	✓ Not found	ci-config	—
/.travis.yml	✓ Not found	ci-config	—

A

Email Security

DMARC: reject, SPF: -all, DKIM

PASS

DMARC: reject, SPF: -all, DKIM

DMARC policy is reject — strongest protection

SPF evaluation problem: exceeded RFC 7208 10-lookup limit (counted 13 lookup(s))

Receivers PERMERROR-fail SPF evaluation when the include/redirect tree exceeds the RFC 7208 10-lookup cap or contains a pathological structure. This is one of the most common silent SPF failures. Flatten the tree by inlining ip4: / ip6: addresses for senders you control, or use a macro-based ESP solution.

SPF ends in -all (hard fail) — strongest setting

DKIM configured (selectors: google, k1, mail)

MTA-STS not configured

MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.

TLS-RPT not configured

TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.

BIMI not configured

BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.

DMARC

Policy reject — strongest protection Record v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_agg@vali.email;

Receivers PERMERROR-fail SPF evaluation when the include/redirect tree exceeds the RFC 7208 10-lookup cap or contains a pathological structure. This is one of the most common silent SPF failures. Flatten the tree by inlining ip4: / ip6: addresses for senders you control, or use a macro-based ESP solution.

Why this matters

Informational: a labeled value pair from the audit.

MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.

Why this matters

Without MTA-STS, inbound mail can be silently downgraded to plain SMTP by a network attacker.

Learn more ▾

MTA-STS (RFC 8461) tells sending mail servers to use TLS and to refuse delivery if TLS fails. Requires both a TXT record at _mta-sts.<domain> AND a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Without it, an active attacker on the network path can strip STARTTLS and read the email in plaintext.

Source: RFC 8461

TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.

Why this matters

Without TLS-RPT, you have no visibility into inbound TLS failures — MTA-STS misconfigurations stay hidden until users complain.

Learn more ▾

TLS-RPT (RFC 8460) is the feedback channel for MTA-STS: senders post aggregate reports of TLS-handshake failures to the URI in your _smtp._tls TXT record. Without it, an MTA-STS misconfiguration silently rejects mail and you find out only when someone notices missing email.

Source: RFC 8460

BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

A+

Permissions-Policy

18 directives, 0 missing

PASS

18 directives, 0 missing

accelerometer=() — blocked for all origins

browsing-topics=() — blocked for all origins

camera=() — blocked for all origins

clipboard-read=() — blocked for all origins

clipboard-write=() — blocked for all origins

geolocation=() — blocked for all origins

gyroscope=() — blocked for all origins

hid=() — blocked for all origins

interest-cohort=() — blocked for all origins

magnetometer=() — blocked for all origins

microphone=() — blocked for all origins

payment=() — blocked for all origins

publickey-credentials-get=() — blocked for all origins

screen-wake-lock=() — blocked for all origins

serial=() — blocked for all origins

sync-xhr=() — blocked for all origins

usb=() — blocked for all origins

xr-spatial-tracking=(self)

Raw Header

accelerometer=() browsing-topics=() camera=() clipboard-read=() clipboard-write=() geolocation=() gyroscope=() hid=() interest-cohort=() magnetometer=() microphone=() payment=() publickey-credentials-get=() screen-wake-lock=() serial=() sync-xhr=() usb=() xr-spatial-tracking=(self)

Feature Permissions

Blocked Self Only Unrestricted Not Set

accelerometer Blocked

browsing-topics Blocked

camera Blocked

clipboard-read Blocked

clipboard-write Blocked

geolocation Blocked

gyroscope Blocked

hid Blocked

interest-cohort Blocked

magnetometer Blocked

microphone Blocked

payment Blocked

publickey-credentials-get Blocked

screen-wake-lock Blocked

serial Blocked

sync-xhr Blocked

usb Blocked

xr-spatial-tracking Self Only

A

Transport Security

HTTP/3, HSTS, and TLS version analysis

PASS

HTTP/3, HSTS, and TLS version analysis

HTTP/3 (QUIC) not advertised

HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.

HSTS enabled (base policy)

HSTS missing includeSubDomains

Without includeSubDomains, HSTS only protects the exact domain.

TLS 1.3 in use (fastest handshake, 1-RTT)