Security - https://chat.whatsapp.com BeaverCheck Audit

F

Subresource Integrity

Action

0 of 12 external resources have SRI

FIX

0 of 12 external resources have SRI

External link from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v5/yf/l/0,cross/kVqnnGSuZMa.css

External link from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v5/yV/l/0,cross/ozTyqDnGSwg.css

External link from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v5/yT/l/0,cross/2C6Y15M3ulD.css

External link from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v5/yC/l/0,cross/Jld_ox0qHt4.css

External script from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v4/y6/r/n80KC3B7ON5.js

External script from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v4i7M54/ya/l/en_US-j/m8jtobM0BaT.js

External script from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v4/yQ/r/bag6ibmFYGc.js

External script from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v4/yl/r/5TReKLCGPcC.js

External script from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v4/yR/r/MzhkMBApLms.js

External script from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v4/yz/r/6_kfQYonLR-.js

External script from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v4/yQ/r/6G9Xg5DVlKP.js

External script from static.whatsapp.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.whatsapp.net/rsrc.php/v4ibQ14/yT/l/en_US-j/WsphHKb4vs6.js

SRI Coverage 0 / 12 of external resources have integrity hashes

Tag	Domain	Integrity
<link>	static.whatsapp.net	✗ Missing
<link>	static.whatsapp.net	✗ Missing
<link>	static.whatsapp.net	✗ Missing
<link>	static.whatsapp.net	✗ Missing
<script>	static.whatsapp.net	✗ Missing
<script>	static.whatsapp.net	✗ Missing
<script>	static.whatsapp.net	✗ Missing
<script>	static.whatsapp.net	✗ Missing
<script>	static.whatsapp.net	✗ Missing
<script>	static.whatsapp.net	✗ Missing
<script>	static.whatsapp.net	✗ Missing
<script>	static.whatsapp.net	✗ Missing

F

Email Security

Action

No DMARC

FIX

No DMARC

No DMARC record found

Without DMARC, email receivers have no policy for handling authentication failures.

DMARC

No DMARC record found

Without DMARC, email receivers have no policy for handling authentication failures from your domain.

Without DMARC, email receivers have no policy for handling authentication failures.

Why this matters

Without DMARC, anyone can send phishing emails using your domain name.

Learn more ▾

DMARC tells receiving mail servers what to do with email that fails SPF/DKIM checks for your domain. With a strict 'p=reject' policy, spoofed emails get bounced; without it they reach the inbox. Domains used in phishing campaigns lose deliverability and brand trust fast.

Source: DMARC.org / NIST

B

Content Security Policy

5 of 10 CSP checks passed

REVIEW

5 of 10 CSP checks passed

Raw CSP policy

Got: default-src 'self' blob:;script-src 'nonce-gc6Tal9w' *.facebook.com *.fbcdn.net *.whatsapp.com *.whatsapp.net https://*.facebook.net 'self' blob:;style-src 'self' 'unsafe-inline' https://static.whatsapp.net data: blob:;connect-src 'self' https://*.whatsapp.com data: blob:;font-src https://*.fbcdn.net https://static.whatsapp.net data:;img-src https://*.whatsapp.net 'self' data: blob:;media-src 'self' data: blob:;child-src 'self' data: blob:;frame-src whatsapp: 'self' data: blob:;manifest-src 'self' data: blob:;object-src 'self' data: blob:;worker-src 'nonce-gc6Tal9w' *.facebook.com *.fbcdn.net *.whatsapp.com *.whatsapp.net https://*.facebook.net 'self' data: blob:;block-all-mixed-content;upgrade-insecure-requests;

default-src directive is set

Got: default-src 'self' blob:

No 'unsafe-inline' in script source

No 'unsafe-eval' in script source

No wildcard in script source

object-src allows plugin content

Set object-src to 'none' to prevent Flash/Java plugin exploits.

Got: object-src 'self' data: blob: Expected: object-src 'none'

base-uri directive is missing

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'

frame-ancestors directive is missing

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

form-action directive is missing

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'

upgrade-insecure-requests is enabled

Set object-src to 'none' to prevent Flash/Java plugin exploits.

Expected: object-src 'none'

Why this matters

object-src open in CSP allows Flash/PDF/plugin embedding — a now-deprecated attack vector that should be explicitly blocked.

Learn more ▾

object-src controls <object>, <embed>, and <applet> elements. Modern sites have no need for plugins; setting `object-src 'none'` blocks an entire class of legacy XSS vectors at zero cost. If your CSP missed it, add the directive.

Source: MDN CSP

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'

Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more ▾

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

Parsed Policy

default-src 'self'blob:

script-src 'nonce-gc6Tal9w'*.facebook.com*.fbcdn.net*.whatsapp.com*.whatsapp.nethttps://*.facebook.net'self'blob:

style-src 'self''unsafe-inline'https://static.whatsapp.netdata:blob:

connect-src 'self'https://*.whatsapp.comdata:blob:

font-src https://*.fbcdn.nethttps://static.whatsapp.netdata:

img-src https://*.whatsapp.net'self'data:blob:

media-src 'self'data:blob:

child-src 'self'data:blob:

frame-src whatsapp:'self'data:blob:

manifest-src 'self'data:blob:

object-src 'self'data:blob:

worker-src 'nonce-gc6Tal9w'*.facebook.com*.fbcdn.net*.whatsapp.com*.whatsapp.nethttps://*.facebook.net'self'data:blob:

block-all-mixed-content

upgrade-insecure-requests

B

CORS Configuration

No CORS headers

REVIEW

No CORS headers

No CORS headers present — secure default

CORS Configuration ✓ Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control

B

security.txt

Published with 0 contact(s)

REVIEW

security.txt

A

Security Headers

8 of 10 headers properly configured

PASS

8 of 10 headers properly configured

Strict-Transport-Security is properly configured

Got: max-age=31536000; preload; includeSubDomains

X-Content-Type-Options is properly configured

Got: nosniff

X-Frame-Options is properly configured

Got: DENY

Referrer-Policy header is missing

Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.

Expected: strict-origin-when-cross-origin

Permissions-Policy is set

Got: accelerometer=(), attribution-reporting=(), autoplay=(), bluetooth=(), camera=(), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(), clipboard-write=(), compute-pressure=(), display-capture=(), encrypted-media=(), fullscreen=(self), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), unload=(self), window-management=(), xr-spatial-tracking=();report-to="permissions_policy"

Content-Security-Policy is present

Got: default-src 'self' blob:;script-src 'nonce-gc6Tal9w' *.facebook.com *.fbcdn.net …

Cross-Origin-Opener-Policy is properly configured

Got: same-origin

Cross-Origin-Embedder-Policy header is missing

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

X-Powered-By header is not present

Server header is not present

Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.

Expected: strict-origin-when-cross-origin

Why this matters

Default browser behavior leaks full URLs (including query params and tokens) to every third-party resource — set a strict policy.

Learn more ▾

Without a Referrer-Policy header, browsers send the full referring URL with images, scripts, and fonts loaded from third-party origins. URLs containing tokens, user IDs, or session params end up in third-party logs. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter) to limit leakage.

Source: MDN / W3C

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more ▾

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

A

TLS & Certificates

TLS 1.3, 7 checks passed

PASS

TLS 1.3, 7 checks passed

TLS 1.3 is used

Got: TLS 1.3

Strong cipher suite is used

Got: TLS_CHACHA20_POLY1305_SHA256

HTTP/2 is not negotiated

HTTP/2 provides multiplexing and header compression for better performance.

Got: http/1.1

Certificate is valid (expires in 8 days)

Got: 2026-04-29T23:59:59Z

Certificate expires soon (8 days remaining)

Renew the certificate before it expires to avoid browser warnings.

Got: 2026-04-29T23:59:59Z

Certificate chain has 2 certificates

Certificate uses modern signature algorithm

Got: SHA256-RSA

Certificate covers 7 domain(s)

Got: *.whatsapp.net, *.cdn.whatsapp.net, *.snr.whatsapp.net, *.whatsapp.com, wa.me, whatsapp.com, whatsapp.net

Certificate is issued by a trusted CA

Got: CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US

Renew the certificate before it expires to avoid browser warnings.

Why this matters

Cert expiry within the renewal window — fix now while there's no user impact, instead of after expiry when there's a full outage.

Learn more ▾

Most CAs recommend renewal at 30 days remaining. Inside that window, schedule the renewal immediately and verify auto-renewal is configured if applicable. Don't wait until 7 days; weekend / holiday timing can leave you exposed.

Source: Let's Encrypt / CA renewal best practice

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more ▾

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection

Protocol

TLS 1.3

Cipher Suite

TLS_CHACHA20_POLY1305_SHA256

HTTP Version

HTTP/1.1

Certificate Chain

Leaf Certificate

Subject CN=*.whatsapp.net,O=Meta Platforms\, Inc.,L=Menlo Park,ST=California,C=USIssuer CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=USValid 2026-01-29T00:00:00Z → 2026-04-29T23:59:59ZExpires in 8 days — expiring soon! SANs *.whatsapp.net, *.cdn.whatsapp.net, *.snr.whatsapp.net, *.whatsapp.com, wa.me, whatsapp.com, whatsapp.netSignature SHA256-RSASerial 6dfd2053d6548cbba0a480d1e907c52

Intermediate (CA Certificate)

Subject CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=USIssuer CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=USValid 2021-03-30T00:00:00Z → 2031-03-29T23:59:59ZExpires in 1803 days Signature SHA256-RSASerial cf5bd062b5602f47ab8502c23ccf066

A+

Cookie Security

2 cookies analyzed, 5 checks passed

PASS

2 cookies analyzed, 5 checks passed

Cookie 'wa_lang_pref' has the Secure flag

Cookie 'wa_lang_pref' is missing the HttpOnly flag

Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.

Cookie 'wa_lang_pref' has SameSite=Lax

Cookie 'wa_ul' has the Secure flag

Cookie 'wa_ul' has the HttpOnly flag

Cookie 'wa_ul' has SameSite=Lax

2 cookies analyzed 1 warnings

Name	Secure	HttpOnly	SameSite	Size	Issues
wa_lang_pref	✓	✗	Lax	17 B	1
wa_ul	✓	✓	Lax	41 B	—

A+

JS Library Vulnerabilities

No known vulnerabilities

PASS

No known vulnerabilities

No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+

Information Leakage

No exposures

PASS

No exposures

No security.txt found

Consider adding a security.txt at /.well-known/security.txt.

No sensitive files exposed

No sensitive files exposed — all paths returned 404.

Path	Status	Category	Risk
/.git/HEAD	✓ Not found	Version Control	—
/.git/config	✓ Not found	Version Control	—
/.svn/entries	✓ Not found	Version Control	—
/.env	✓ Not found	Configuration	—
/.env.local	✓ Not found	Configuration	—
/.env.production	✓ Not found	Configuration	—
/wp-config.php	✓ Not found	Configuration	—
/.htaccess	✓ Not found	Configuration	—
/phpinfo.php	✓ Not found	Debug	—
/server-status	✓ Not found	Debug	—
/server-info	✓ Not found	Debug	—
/.well-known/security.txt	✓ Not found	Security Policy	—

A+

Permissions-Policy

47 directives, 0 missing

PASS

47 directives, 0 missing

accelerometer=() — blocked for all origins

attribution-reporting=() — blocked for all origins

autoplay=() — blocked for all origins

bluetooth=() — blocked for all origins

camera=() — blocked for all origins

ch-device-memory=() — blocked for all origins

ch-downlink=() — blocked for all origins

ch-dpr=() — blocked for all origins

ch-ect=() — blocked for all origins

ch-rtt=() — blocked for all origins

ch-save-data=() — blocked for all origins

ch-ua-arch=() — blocked for all origins

ch-ua-bitness=() — blocked for all origins

ch-viewport-height=() — blocked for all origins

ch-viewport-width=() — blocked for all origins

ch-width=() — blocked for all origins

clipboard-read=() — blocked for all origins

clipboard-write=() — blocked for all origins

compute-pressure=() — blocked for all origins

display-capture=() — blocked for all origins

encrypted-media=() — blocked for all origins

fullscreen=(self)

gamepad=() — blocked for all origins

geolocation=() — blocked for all origins

gyroscope=() — blocked for all origins

hid=() — blocked for all origins

idle-detection=() — blocked for all origins

interest-cohort=() — blocked for all origins

keyboard-map=() — blocked for all origins

local-fonts=() — blocked for all origins

magnetometer=() — blocked for all origins

microphone=() — blocked for all origins

midi=() — blocked for all origins

otp-credentials=() — blocked for all origins

payment=() — blocked for all origins

picture-in-picture=() — blocked for all origins

private-state-token-issuance=() — blocked for all origins

publickey-credentials-get=() — blocked for all origins

screen-wake-lock=() — blocked for all origins

serial=() — blocked for all origins

shared-storage=() — blocked for all origins

shared-storage-select-url=() — blocked for all origins

private-state-token-redemption=() — blocked for all origins

usb=() — blocked for all origins

unload=(self)

window-management=() — blocked for all origins

xr-spatial-tracking=();report-to="permissions_policy"

Raw Header

accelerometer=() attribution-reporting=() autoplay=() bluetooth=() camera=() ch-device-memory=() ch-downlink=() ch-dpr=() ch-ect=() ch-rtt=() ch-save-data=() ch-ua-arch=() ch-ua-bitness=() ch-viewport-height=() ch-viewport-width=() ch-width=() clipboard-read=() clipboard-write=() compute-pressure=() display-capture=() encrypted-media=() fullscreen=(self) gamepad=() geolocation=() gyroscope=() hid=() idle-detection=() interest-cohort=() keyboard-map=() local-fonts=() magnetometer=() microphone=() midi=() otp-credentials=() payment=() picture-in-picture=() private-state-token-issuance=() publickey-credentials-get=() screen-wake-lock=() serial=() shared-storage=() shared-storage-select-url=() private-state-token-redemption=() usb=() unload=(self) window-management=() xr-spatial-tracking=();report-to="permissions_policy"

Feature Permissions

Blocked Self Only Unrestricted Not Set

accelerometer Blocked

attribution-reporting Blocked

autoplay Blocked

bluetooth Blocked

camera Blocked

ch-device-memory Blocked

ch-downlink Blocked

ch-dpr Blocked

ch-ect Blocked

ch-rtt Blocked

ch-save-data Blocked

ch-ua-arch Blocked

ch-ua-bitness Blocked

ch-viewport-height Blocked

ch-viewport-width Blocked

ch-width Blocked

clipboard-read Blocked

clipboard-write Blocked

compute-pressure Blocked

display-capture Blocked

encrypted-media Blocked

fullscreen Self Only

gamepad Blocked

geolocation Blocked

gyroscope Blocked

hid Blocked

idle-detection Blocked

interest-cohort Blocked

keyboard-map Blocked

local-fonts Blocked

magnetometer Blocked

microphone Blocked

midi Blocked

otp-credentials Blocked

payment Blocked

picture-in-picture Blocked

private-state-token-issuance Blocked

publickey-credentials-get Blocked

screen-wake-lock Blocked

serial Blocked

shared-storage Blocked

shared-storage-select-url Blocked

private-state-token-redemption Blocked

usb Blocked

unload Self Only

window-management Blocked

xr-spatial-tracking ();report-to="permissions_policy" (1 origins)

A+

Transport Security

HTTP/3, HSTS, and TLS version analysis

PASS

HTTP/3, HSTS, and TLS version analysis

HTTP/3 (QUIC) supported

The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.

HSTS enabled (includeSubDomains, preload)

HSTS preload enabled

TLS 1.3 in use (fastest handshake, 1-RTT)