# BeaverCheck Audit Report — https://www.producthunt.com

**Date:** April 6, 2026  
**URL:** https://www.producthunt.com  
**Overall Grade:** D (65/100)  
**Report:** https://beavercheck.com/results/bbd52b9c-496f-493c-b1f1-c62377e42468

## Top Findings

1. **[CRITICAL]** Content-Security-Policy header is missing — Security > Security Headers
2. **[CRITICAL]** No Content-Security-Policy header found — Security > Content Security Policy
3. **[WARNING]** Cookie '__cf_bm' has no SameSite attribute — Security > Cookie Security
4. **[WARNING]** HSTS max-age is too short (2592000s, should be ≥ 31536000s) — Security > Security Headers
5. **[WARNING]** No DMARC record found — Security > Email Security

---

## Security

### Security Headers (B — 75/100)

*8 of 10 headers properly configured*

- **[WARNING]** HSTS max-age is too short (2592000s, should be ≥ 31536000s) — A short max-age leaves a window for downgrade attacks. Set max-age to at least 31536000 (1 year).
- **[PASS]** X-Content-Type-Options is properly configured
- **[PASS]** X-Frame-Options is properly configured
- **[PASS]** Referrer-Policy is properly configured
- **[PASS]** Permissions-Policy is set
- **[CRITICAL]** Content-Security-Policy header is missing — CSP is the most important header for preventing XSS attacks. See the CSP section for detailed analysis.
- **[PASS]** Cross-Origin-Opener-Policy is properly configured
- **[PASS]** Cross-Origin-Embedder-Policy is set
- **[PASS]** X-Powered-By header is not present
- **[PASS]** Server header is present without version info

### Content Security Policy (F — 0/100)

*No enforcing CSP policy found*

- **[CRITICAL]** No Content-Security-Policy header found — CSP is the most effective defense against XSS attacks. Add a Content-Security-Policy header to restrict resource loading.

### TLS & Certificates (A+ — 100/100)

*TLS 1.3, 7 checks passed*

- **[PASS]** TLS 1.3 is used
- **[PASS]** Strong cipher suite is used
- **[INFO]** HTTP/2 is not negotiated — HTTP/2 provides multiplexing and header compression for better performance.
- **[PASS]** Certificate is valid (expires in 64 days)
- **[PASS]** Certificate chain has 3 certificates
- **[PASS]** Certificate uses modern signature algorithm
- **[PASS]** Certificate covers 2 domain(s)
- **[PASS]** Certificate is issued by a trusted CA

### Cookie Security (A+ — 95/100)

*1 cookies analyzed, 2 checks passed*

- **[PASS]** Cookie '__cf_bm' has the Secure flag
- **[PASS]** Cookie '__cf_bm' has the HttpOnly flag
- **[WARNING]** Cookie '__cf_bm' has no SameSite attribute — Without an explicit SameSite attribute, browser default behavior varies. Set SameSite=Lax or Strict.

---

## Advanced Security

### Subresource Integrity (A+ — 100/100)

*No external resources*

- **[PASS]** No external resources to protect

### JS Library Vulnerabilities (A+ — 100/100)

*No known vulnerabilities*

- **[PASS]** No known JavaScript library vulnerabilities detected

### Information Leakage (A+ — 100/100)

*No exposures*

- **[INFO]** No security.txt found — Consider adding a security.txt at /.well-known/security.txt.
- **[PASS]** No sensitive files exposed

### Email Security (F — 30/100)

*No DMARC*

- **[WARNING]** No DMARC record found — Without DMARC, email receivers have no policy for handling authentication failures.

### Permissions-Policy (A+ — 100/100)

*17 directives, 0 missing*

- **[PASS]** accelerometer=() — blocked for all origins
- **[PASS]** browsing-topics=() — blocked for all origins
- **[PASS]** camera=() — blocked for all origins
- **[PASS]** clipboard-read=() — blocked for all origins
- **[PASS]** clipboard-write=() — blocked for all origins
- **[PASS]** geolocation=() — blocked for all origins
- **[PASS]** gyroscope=() — blocked for all origins
- **[PASS]** hid=() — blocked for all origins
- **[PASS]** interest-cohort=() — blocked for all origins
- **[PASS]** magnetometer=() — blocked for all origins
- **[PASS]** microphone=() — blocked for all origins
- **[PASS]** payment=() — blocked for all origins
- **[PASS]** publickey-credentials-get=() — blocked for all origins
- **[PASS]** screen-wake-lock=() — blocked for all origins
- **[PASS]** serial=() — blocked for all origins
- **[PASS]** sync-xhr=() — blocked for all origins
- **[PASS]** usb=() — blocked for all origins

### CORS Configuration (B — 80/100)

*No CORS headers*

- **[PASS]** No CORS headers present — secure default

---

## Infrastructure

### DNS Records (A — 90/100)

*2 A records, 135 ms lookup*

- **[PASS]** Resolves to 2 IPv4 address(es)
- **[PASS]** Has 2 IPv6 (AAAA) record(s)
- **[INFO]** No NS records found
- **[INFO]** No MX records — email not configured via DNS
- **[INFO]** CAA records not checked — CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
- **[INFO]** No SPF record found in TXT records — SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.
- **[PASS]** DNS resolution time: 135 ms

### Redirect Chain (A+ — 100/100)

*0 redirect(s), 137 ms total*


### IPv6 Readiness (A+ — 100/100)

*IPv6 reachable (1 ms)*

- **[PASS]** IPv6 is configured and reachable at 2606:4700::6812:7e76, 2606:4700::6812:7f76

### Crawlability (B — 75/100)

*no robots.txt, no sitemap*

- **[INFO]** No robots.txt found — robots.txt is optional but recommended. It tells search engine crawlers which pages to index.
- **[INFO]** No sitemap.xml found — A sitemap helps search engines discover and index your pages more efficiently.

### URL Variants (A+ — 100/100)

*www/non-www, trailing slash, HTTP→HTTPS*

- **[PASS]** HTTP correctly 301-redirects to HTTPS

### Domain Intelligence (A+ — 100/100)

*producthunt.com — via GoDaddy.com, LLC, 23 years, 5 months old*

- **[PASS]** Domain registered until Mar 4, 2031 (4 years, 11 months remaining)
- **[PASS]** DNSSEC is enabled
- **[PASS]** Registrar: GoDaddy.com, LLC

---

## Compliance

### WCAG Compliance (A+ — 100/100)

*No testable criteria*


### Cookie Consent & Privacy (B — 80/100)

*No consent signals detected*

- **[WARNING]** No privacy policy link detected — A privacy policy page is recommended for transparency and may be legally required.
- **[INFO]** No terms of service link detected
- **[INFO]** No cookie consent banner detected
- **[PASS]** 1 cookie(s) set on initial load (functional)
- **[INFO]** This is an automated check, not legal advice — BeaverCheck detects technical indicators of consent management. This does not constitute a legal compliance assessment. Consult a privacy professional for GDPR/CCPA compliance.

### Language & i18n (F — 5/100)

*Missing <html lang>*

- **[WARNING]** <html lang> attribute is missing — The lang attribute on <html> is required for screen readers and WCAG 3.1.1 compliance.
- **[INFO]** No Content-Language HTTP header
- **[PASS]** Language signals are consistent

### Readability & Typography (A+ — 100/100)

*Font sizes and tap targets checked*


### Viewport Configuration (F — 30/100)

*No viewport meta tag*

- **[CRITICAL]** No viewport meta tag found — Without a viewport meta tag, the page will not render correctly on mobile devices.

---

## Availability

### CDN & Delivery (D — 50/100)

*No CDN detected*

- **[WARNING]** No CDN detected — A CDN can significantly improve load times for users around the world by caching content at edge nodes closer to them.

### HTTP Caching (F — 30/100)

*No cache headers*

- **[WARNING]** No Cache-Control header found — Browsers will use heuristic caching, which can be unpredictable. Set explicit cache headers.

---

## UX

### 404 Error Page (F — 25/100)

*HTTP 403, custom page*

- **[WARNING]** Unexpected status code: HTTP 403 — Expected HTTP 404 but received 403. This may confuse search engine crawlers.
- **[PASS]** Custom styled 404 page

### Favicon & Branding (F — 15/100)

*1 icon(s) detected*

- **[PASS]** favicon.ico present at site root
- **[INFO]** No apple-touch-icon detected — iOS devices use this when users add your site to their home screen. Add <link rel='apple-touch-icon' sizes='180x180' href='/apple-touch-icon.png'>.

### Web Manifest (D — 40/100)

*Not found*

- **[INFO]** No web manifest found — No manifest at standard paths (/manifest.json, /site.webmanifest). A manifest is optional but enables PWA features like home screen installation and standalone display.

### Dark Mode Support (D — 40/100)

*No dark mode signals*

- **[INFO]** No dark mode signals detected — Consider adding CSS with @media (prefers-color-scheme: dark) and <meta name='color-scheme' content='light dark'>.
- **[INFO]** Detection limited to meta tags and inline styles — External CSS files may contain prefers-color-scheme rules not visible to this scan.

### Print Stylesheet (D — 40/100)

*No print styles*

- **[INFO]** No print-specific styles detected — When users print this page, they get the screen layout including navigation and non-essential elements. Add @media print rules to hide navigation and optimize layout for paper.

### Navigation UX (F — 0/100)

*No navigation patterns*

- **[INFO]** No breadcrumbs, search, or skip link detected — These navigation aids help users orient themselves and find content efficiently, especially on large sites.

---

---

*Generated by [BeaverCheck](https://beavercheck.com) — https://beavercheck.com/results/bbd52b9c-496f-493c-b1f1-c62377e42468*