Browse & Analyze

Browse recent website audits and performance trends

Explore technology stacks detected across the web

Side-by-side technology comparisons and market share

Curated technology stacks and the sites that use them

Editorial deep-dives on the state of web performance

Browse and download favicons from analyzed websites

Learn

Common questions about BeaverCheck scores and checks

How we calculate scores across 100+ checks

The story behind BeaverCheck and the team

Practical guides to fix common web performance issues

Migration Guides

Step-by-step guides for moving between web technologies

Definitions for performance, SEO, and web platform terms

Contrast Checker

Check WCAG color contrast ratios between any two colors

Inspect HTTP response headers for any URL

Analyze SSL/TLS certificate details and chain

Look up DNS records for any domain

Redirect Checker

Trace the full redirect chain for any URL

Real-user INP and Core Web Vitals from Google's Chrome UX Report.

RESTful API for programmatic website audits

Embed an auto-updating health score badge on your site

https://umkc.edu

Security

· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.

SCORE

74

GRADE

C

FIX

3

REVIEW

2

PASS

7

INFO

0

Checks

12

7 PASS 2 REVIEW 3 FIX

F

Content Security Policy

Action

No enforcing CSP policy found

FIX

No enforcing CSP policy found

No Content-Security-Policy header found

CSP is the most effective defense against XSS attacks. Add a Content-Security-Policy header to restrict resource loading.

Expected: default-src 'self'

CSP is the most effective defense against XSS attacks. Add a Content-Security-Policy header to restrict resource loading.

Expected: default-src 'self'

Why this matters

Without a CSP, a single XSS bug can exfiltrate everything users type — credentials, payment data, session tokens.

Learn more ▾

Content-Security-Policy is the browser-enforced firewall against XSS. With a strict CSP, a script injection that would otherwise steal session cookies is silently blocked. Without it, your only defense is hoping every input on every form is escaped correctly forever. Start in Report-Only mode, fix violations, then graduate to enforcing.

Source: OWASP / MDN

F

Subresource Integrity

Action

0 of 52 external resources have SRI

FIX

0 of 52 external resources have SRI

External script from cbe.capturehighered.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://cbe.capturehighered.net/cbe/footprint?v=1.3&n=_cbe&id=2ac22178&new=1&vid=2687946141776901890&sessid=313261776901890&ppr=https&po=www.umkc.edu&pp=%2F&pt=University%20of%20Missouri-Kansas%20City&cbe=pageview&pl=en-us&ps=800x600&pc=24-bit&pv=780x441&tz=UTC&t=js

External link from www.umkc.edu lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.umkc.edu/v2/css/styles.css

External link from www.umkc.edu lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.umkc.edu/v2/css/aos.css

External script from go.graduate.umkc.edu lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://go.graduate.umkc.edu/mtc.js

External script from analytics.tiktok.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://analytics.tiktok.com/i18n/pixel/static/identify_5cff1caf.js

External script from analytics.tiktok.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://analytics.tiktok.com/i18n/pixel/static/main.MWE0ZWQ3ZWQwOQ.js

External script from analytics.tiktok.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://analytics.tiktok.com/i18n/pixel/static/main.MWE0ZWQ3ZWQwOA.js

External script from scripts.clarity.ms lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://scripts.clarity.ms/0.8.59/clarity.js

External script from analytics.tiktok.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://analytics.tiktok.com/i18n/pixel/static/main.MWE0ZWQ3ZWQwOQ.js

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/destination?id=AW-16935672048&cx=c&gtm=4e64k1

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/destination?id=DC-11020655&cx=c&gtm=4e64k1

External script from tr.snapchat.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://tr.snapchat.com/config/edu/94b31796-30f7-43f6-91c4-f12d62c50dc9.js?v=3.56.0-2604221701

External script from pixel.byspotify.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://pixel.byspotify.com/ping.min.js

External script from s.adroll.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://s.adroll.com/j/VP224FHVIJCNFLFMY3QFIR/roundtrip.js

External script from www.clarity.ms lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.clarity.ms/tag/i8l0o6o0wd?ref=gtm2

External script from tags.srv.stackadapt.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://tags.srv.stackadapt.com/events.js

External script from analytics.tiktok.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://analytics.tiktok.com/i18n/pixel/events.js?sdkid=CGE7FUBC77UCVI78TAO0&lib=ttq

External script from cbe.capturehighered.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://cbe.capturehighered.net/cbe/cbe.js

External script from analytics.tiktok.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://analytics.tiktok.com/i18n/pixel/sdk.js?sdkid=BUC2UV3S9K3PO73JE2K0

External script from analytics.tiktok.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://analytics.tiktok.com/i18n/pixel/sdk.js?sdkid=BTH20J318114D7H6V010

External script from sc-static.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://sc-static.net/scevent.min.js

External script from connect.facebook.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://connect.facebook.net/signals/config/564265888256129?v=2.9.303&r=stable&domain=www.umkc.edu&hme=97937018cefade17726f0472876fc101316b2ce9008a35a6a5a7977d7436151a&ex_m=104%2C205%2C154%2C22%2C72%2C73%2C145%2C68%2C67%2C11%2C162%2C90%2C16%2C138%2C127%2C39%2C75%2C78%2C134%2C159%2C164%2C8%2C4%2C5%2C7%2C6%2C3%2C91%2C101%2C165%2C170%2C219%2C62%2C186%2C187%2C55%2C276%2C30%2C74%2C231%2C230%2C229%2C23%2C33%2C103%2C61%2C10%2C63%2C97%2C98%2C99%2C105%2C130%2C31%2C29%2C132%2C133%2C129%2C128%2C155%2C76%2C158%2C156%2C157%2C50%2C60%2C123%2C15%2C161%2C45%2C263%2C264%2C262%2C26%2C27%2C28%2C48%2C146%2C77%2C112%2C18%2C20%2C44%2C40%2C42%2C41%2C83%2C92%2C96%2C110%2C144%2C147%2C46%2C111%2C24%2C21%2C119%2C69%2C36%2C149%2C148%2C150%2C141%2C139%2C25%2C35%2C59%2C109%2C160%2C70%2C17%2C152%2C114%2C81%2C66%2C19%2C85%2C86%2C116%2C84%2C136%2C135%2C34%2C278%2C293%2C212%2C201%2C202%2C200%2C296%2C288%2C52%2C213%2C107%2C131%2C80%2C121%2C54%2C47%2C49%2C113%2C120%2C126%2C58%2C64%2C151%2C115%2C37%2C32%2C53%2C56%2C100%2C163%2C1%2C124%2C14%2C122%2C12%2C2%2C57%2C93%2C65%2C118%2C89%2C88%2C166%2C167%2C94%2C95%2C9%2C125%2C102%2C51%2C142%2C87%2C79%2C71%2C117%2C106%2C43%2C143%2C0%2C82%2C137%2C140%2C153%2C38%2C108%2C13%2C168%2C228%2C227%2C222%2C224%2C225%2C226%2C223%2C211%2C221%2C233%2C193%2C190%2C191%2C185%2C189%2C192%2C188%2C183%2C316%2C196%2C215%2C184%2C182%2C210%2C235%2C206%2C176%2C177%2C172%2C178%2C175%2C173%2C174%2C171%2C169%2C180%2C181%2C179%2C265%2C315%2C194%2C238%2C239%2C244%2C241%2C243%2C242%2C240%2C237%2C252%2C248%2C249%2C247%2C253%2C250%2C246%2C251%2C245

External script from connect.facebook.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://connect.facebook.net/signals/config/307176664140440?v=2.9.303&r=stable&domain=www.umkc.edu&hme=97937018cefade17726f0472876fc101316b2ce9008a35a6a5a7977d7436151a&ex_m=104%2C205%2C154%2C22%2C72%2C73%2C145%2C68%2C67%2C11%2C162%2C90%2C16%2C138%2C127%2C39%2C75%2C78%2C134%2C159%2C164%2C8%2C4%2C5%2C7%2C6%2C3%2C91%2C101%2C165%2C170%2C219%2C62%2C186%2C187%2C55%2C276%2C30%2C74%2C231%2C230%2C229%2C23%2C33%2C103%2C61%2C10%2C63%2C97%2C98%2C99%2C105%2C130%2C31%2C29%2C132%2C133%2C129%2C128%2C155%2C76%2C158%2C156%2C157%2C50%2C60%2C123%2C15%2C161%2C45%2C263%2C264%2C262%2C26%2C27%2C28%2C48%2C146%2C77%2C112%2C18%2C20%2C44%2C40%2C42%2C41%2C83%2C92%2C96%2C110%2C144%2C147%2C46%2C111%2C24%2C21%2C119%2C69%2C36%2C149%2C148%2C150%2C141%2C139%2C25%2C35%2C59%2C109%2C160%2C70%2C17%2C152%2C114%2C81%2C66%2C19%2C85%2C86%2C116%2C84%2C136%2C135%2C34%2C278%2C293%2C212%2C201%2C202%2C200%2C296%2C288%2C52%2C213%2C107%2C131%2C80%2C121%2C54%2C47%2C49%2C113%2C120%2C126%2C58%2C64%2C151%2C115%2C37%2C32%2C53%2C56%2C100%2C163%2C1%2C124%2C14%2C122%2C12%2C2%2C57%2C93%2C65%2C118%2C89%2C88%2C166%2C167%2C94%2C95%2C9%2C125%2C102%2C51%2C142%2C87%2C79%2C71%2C117%2C106%2C43%2C143%2C0%2C82%2C137%2C140%2C153%2C38%2C108%2C13%2C168%2C228%2C227%2C222%2C224%2C225%2C226%2C223%2C211%2C221%2C233%2C193%2C190%2C191%2C185%2C189%2C192%2C188%2C183%2C316%2C196%2C215%2C184%2C182%2C210%2C235%2C206%2C176%2C177%2C172%2C178%2C175%2C173%2C174%2C171%2C169%2C180%2C181%2C179%2C265%2C315%2C194%2C238%2C239%2C244%2C241%2C243%2C242%2C240%2C237%2C252%2C248%2C249%2C247%2C253%2C250%2C246%2C251%2C245

External script from connect.facebook.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://connect.facebook.net/signals/config/717846512322913?v=2.9.303&r=stable&domain=www.umkc.edu&hme=97937018cefade17726f0472876fc101316b2ce9008a35a6a5a7977d7436151a&ex_m=104%2C205%2C154%2C22%2C72%2C73%2C145%2C68%2C67%2C11%2C162%2C90%2C16%2C138%2C127%2C39%2C75%2C78%2C134%2C159%2C164%2C8%2C4%2C5%2C7%2C6%2C3%2C91%2C101%2C165%2C170%2C219%2C62%2C186%2C187%2C55%2C276%2C30%2C74%2C231%2C230%2C229%2C23%2C33%2C103%2C61%2C10%2C63%2C97%2C98%2C99%2C105%2C130%2C31%2C29%2C132%2C133%2C129%2C128%2C155%2C76%2C158%2C156%2C157%2C50%2C60%2C123%2C15%2C161%2C45%2C263%2C264%2C262%2C26%2C27%2C28%2C48%2C146%2C77%2C112%2C18%2C20%2C44%2C40%2C42%2C41%2C83%2C92%2C96%2C110%2C144%2C147%2C46%2C111%2C24%2C21%2C119%2C69%2C36%2C149%2C148%2C150%2C141%2C139%2C25%2C35%2C59%2C109%2C160%2C70%2C17%2C152%2C114%2C81%2C66%2C19%2C85%2C86%2C116%2C84%2C136%2C135%2C34%2C278%2C293%2C212%2C201%2C202%2C200%2C296%2C288%2C52%2C213%2C107%2C131%2C80%2C121%2C54%2C47%2C49%2C113%2C120%2C126%2C58%2C64%2C151%2C115%2C37%2C32%2C53%2C56%2C100%2C163%2C1%2C124%2C14%2C122%2C12%2C2%2C57%2C93%2C65%2C118%2C89%2C88%2C166%2C167%2C94%2C95%2C9%2C125%2C102%2C51%2C142%2C87%2C79%2C71%2C117%2C106%2C43%2C143%2C0%2C82%2C137%2C140%2C153%2C38%2C108%2C13%2C168%2C228%2C227%2C222%2C224%2C225%2C226%2C223%2C211%2C221%2C233%2C193%2C190%2C191%2C185%2C189%2C192%2C188%2C183%2C316%2C196%2C215%2C184%2C182%2C210%2C235%2C206%2C176%2C177%2C172%2C178%2C175%2C173%2C174%2C171%2C169%2C180%2C181%2C179%2C265%2C315%2C194%2C238%2C239%2C244%2C241%2C243%2C242%2C240%2C237%2C252%2C248%2C249%2C247%2C253%2C250%2C246%2C251%2C245

External script from connect.facebook.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://connect.facebook.net/signals/config/174090553696107?v=2.9.303&r=stable&domain=www.umkc.edu&hme=97937018cefade17726f0472876fc101316b2ce9008a35a6a5a7977d7436151a&ex_m=104%2C205%2C154%2C22%2C72%2C73%2C145%2C68%2C67%2C11%2C162%2C90%2C16%2C138%2C127%2C39%2C75%2C78%2C134%2C159%2C164%2C8%2C4%2C5%2C7%2C6%2C3%2C91%2C101%2C165%2C170%2C219%2C62%2C186%2C187%2C55%2C276%2C30%2C74%2C231%2C230%2C229%2C23%2C33%2C103%2C61%2C10%2C63%2C97%2C98%2C99%2C105%2C130%2C31%2C29%2C132%2C133%2C129%2C128%2C155%2C76%2C158%2C156%2C157%2C50%2C60%2C123%2C15%2C161%2C45%2C263%2C264%2C262%2C26%2C27%2C28%2C48%2C146%2C77%2C112%2C18%2C20%2C44%2C40%2C42%2C41%2C83%2C92%2C96%2C110%2C144%2C147%2C46%2C111%2C24%2C21%2C119%2C69%2C36%2C149%2C148%2C150%2C141%2C139%2C25%2C35%2C59%2C109%2C160%2C70%2C17%2C152%2C114%2C81%2C66%2C19%2C85%2C86%2C116%2C84%2C136%2C135%2C34%2C278%2C293%2C212%2C201%2C202%2C200%2C296%2C288%2C52%2C213%2C107%2C131%2C80%2C121%2C54%2C47%2C49%2C113%2C120%2C126%2C58%2C64%2C151%2C115%2C37%2C32%2C53%2C56%2C100%2C163%2C1%2C124%2C14%2C122%2C12%2C2%2C57%2C93%2C65%2C118%2C89%2C88%2C166%2C167%2C94%2C95%2C9%2C125%2C102%2C51%2C142%2C87%2C79%2C71%2C117%2C106%2C43%2C143%2C0%2C82%2C137%2C140%2C153%2C38%2C108%2C13%2C168

External script from connect.facebook.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://connect.facebook.net/en_US/fbevents.js

External script from www.redditstatic.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.redditstatic.com/ads/pixel.js

External script from snap.licdn.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://snap.licdn.com/li.lms-analytics/insight.min.js

External script from bat.bing.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://bat.bing.com/bat.js

External script from static.ads-twitter.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.ads-twitter.com/uwt.js

External script from snap.licdn.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://snap.licdn.com/li.lms-analytics/insight.min.js

External script from www.google-analytics.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.google-analytics.com/analytics.js

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=G-G21GKGZWMQ&cx=c&gtm=4e64k1

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=G-08VPXRS2FH&cx=c&gtm=4e64k1

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=G-ED3TE3PHG0&cx=c&gtm=4e64k1

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=DC-9145154&cx=c&gtm=4e64k1

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=AW-11319596247&cx=c&gtm=4e64k1

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=AW-678792573&cx=c&gtm=4e64k1

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtm.js?id=GTM-TV3GXX2

External link from widget.freshworks.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://widget.freshworks.com/widgetBase/static/media/frame.d7ae132c.css

External link from calendar.umkc.edu lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://calendar.umkc.edu/live/resource/css/%5Clivewhale%5Ctheme%5Cglobal%5Cstyles%5Cwidgets.css

External script from calendar.umkc.edu lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://calendar.umkc.edu/live/resource/js/%5Clivewhale%5Cthirdparty%5Cjquery%5Cjquery.no-conflict-header.js/%5Clivewhale%5Cthirdparty%5Cjquery%5Cjquery.js/%5Clivewhale%5Cthirdparty%5Cjquery%5Cjquery.no-conflict-footer.js/%5Clivewhale%5Cscripts%5Clib%5Cdate%5Cformatter.js/%5Clivewhale%5Cscripts%5Clib%5Cdate%5Ctimezone.js/%5Clivewhale%5Cscripts%5Clib%5Cdate%5Cuser.js/%5Clivewhale%5Cplugins%5Cjquery%5Cjquery.lw-widget.js

External script from www.youvisit.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.youvisit.com/SmartScript/latest/smartscript.js?v=26.1.6

External script from bat.bing.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://bat.bing.com/p/action/211038466.js

External link from tags.srv.stackadapt.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://tags.srv.stackadapt.com/sa.css

External script from d.adroll.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://d.adroll.com/consent/check/VP224FHVIJCNFLFMY3QFIR?pv=20589026767.52725&arrfrr=https%3A%2F%2Fwww.umkc.edu%2F&_s=5701d1905cc3a0be5966f6a529e3ee5f&_b=2

External script from calendar.umkc.edu lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: //calendar.umkc.edu/livewhale/theme/core/scripts/lwcw.js

External script from www.umkc.edu lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.umkc.edu/v2/js/main.js?ver=0302202609150232

External script from www.umkc.edu lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.umkc.edu/v2/js/aos.js

External script from widget.freshworks.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://widget.freshworks.com/widgets/47000005928.js

External script from www.youvisit.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.youvisit.com/tour/Embed/js3

External script from admiss.info lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://admiss.info/edu/v1/pixel.js?pid=365507268

SRI Coverage 0 / 52 of external resources have integrity hashes

Tag	Domain	Integrity
<script>	cbe.capturehighered.net	✗ Missing
<link>	www.umkc.edu	✗ Missing
<link>	www.umkc.edu	✗ Missing
<script>	go.graduate.umkc.edu	✗ Missing
<script>	analytics.tiktok.com	✗ Missing
<script>	analytics.tiktok.com	✗ Missing
<script>	analytics.tiktok.com	✗ Missing
<script>	scripts.clarity.ms	✗ Missing
<script>	analytics.tiktok.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	tr.snapchat.com	✗ Missing
<script>	pixel.byspotify.com	✗ Missing
<script>	s.adroll.com	✗ Missing
<script>	www.clarity.ms	✗ Missing
<script>	tags.srv.stackadapt.com	✗ Missing
<script>	analytics.tiktok.com	✗ Missing
<script>	cbe.capturehighered.net	✗ Missing
<script>	analytics.tiktok.com	✗ Missing
<script>	analytics.tiktok.com	✗ Missing
<script>	sc-static.net	✗ Missing
<script>	connect.facebook.net	✗ Missing
<script>	connect.facebook.net	✗ Missing
<script>	connect.facebook.net	✗ Missing
<script>	connect.facebook.net	✗ Missing
<script>	connect.facebook.net	✗ Missing
<script>	www.redditstatic.com	✗ Missing
<script>	snap.licdn.com	✗ Missing
<script>	bat.bing.com	✗ Missing
<script>	static.ads-twitter.com	✗ Missing
<script>	snap.licdn.com	✗ Missing
<script>	www.google-analytics.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<link>	widget.freshworks.com	✗ Missing
<link>	calendar.umkc.edu	✗ Missing
<script>	calendar.umkc.edu	✗ Missing
<script>	www.youvisit.com	✗ Missing
<script>	bat.bing.com	✗ Missing
<link>	tags.srv.stackadapt.com	✗ Missing
<script>	d.adroll.com	✗ Missing
<script>	calendar.umkc.edu	✗ Missing
<script>	www.umkc.edu	✗ Missing
<script>	www.umkc.edu	✗ Missing
<script>	widget.freshworks.com	✗ Missing
<script>	www.youvisit.com	✗ Missing
<script>	admiss.info	✗ Missing

D

security.txt

Action

No /.well-known/security.txt published

FIX

security.txt

No security.txt found at /.well-known/security.txt

B

Security Headers

7 of 10 headers properly configured

REVIEW

7 of 10 headers properly configured

Strict-Transport-Security is properly configured

Got: max-age=31536000; includeSubDomains; preload

X-Content-Type-Options is properly configured

Got: nosniff

X-Frame-Options is properly configured

Got: SAMEORIGIN

Referrer-Policy is properly configured

Got: strict-origin-when-cross-origin

Permissions-Policy is set

Got: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), unload=(), window-placement=(), vertical-scroll=()

Content-Security-Policy header is missing

CSP is the most important header for preventing XSS attacks. See the CSP section for detailed analysis.

Expected: default-src 'self'

Cross-Origin-Opener-Policy header is missing

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Cross-Origin-Embedder-Policy header is missing

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

X-Powered-By header is not present

Server header is present without version info

Got: Apache

CSP is the most important header for preventing XSS attacks. See the CSP section for detailed analysis.

Expected: default-src 'self'

Why this matters

Without a CSP, a single XSS bug can exfiltrate everything your users type — including credentials.

Learn more ▾

Content-Security-Policy is the browser-enforced firewall against XSS. With a strict CSP, a script injection that would otherwise steal session cookies or rewrite the page is silently blocked. Without it, your only defense is hoping every input on every form is escaped correctly forever.

Source: OWASP / MDN

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more ▾

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more ▾

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

B

CORS Configuration

No CORS headers

REVIEW

No CORS headers

No CORS headers present — secure default

CORS Configuration ✓ Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control

A+

TLS & Certificates

TLS 1.3, 7 checks passed

PASS

TLS 1.3, 7 checks passed

TLS 1.3 is used

Got: TLS 1.3

Strong cipher suite is used

Got: TLS_AES_128_GCM_SHA256

HTTP/2 is not negotiated

HTTP/2 provides multiplexing and header compression for better performance.

Got: http/1.1

Certificate is valid (expires in 52 days)

Got: 2026-06-13T23:59:59Z

Certificate chain has 3 certificates

Certificate uses modern signature algorithm

Got: SHA384-RSA

Certificate covers 20 domain(s)

Got: www.umkc.edu, umkc.biz, umkc.cc, umkc.edu, umkc.info, umkc.org, umkc.us, universityofmissourikansascity.com, universityofmissourikansascity.info, universityofmissourikansascity.net, universityofmissourikansascity.org, www.umkc.biz, www.umkc.cc, www.umkc.info, www.umkc.org, www.umkc.us, www.universityofmissourikansascity.com, www.universityofmissourikansascity.info, www.universityofmissourikansascity.net, www.universityofmissourikansascity.org

Certificate is issued by a trusted CA

Got: CN=InCommon RSA Server CA 2,O=Internet2,C=US

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more ▾

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection

Protocol

TLS 1.3

Cipher Suite

TLS_AES_128_GCM_SHA256

HTTP Version

HTTP/1.1

Certificate Chain

Leaf Certificate

Subject CN=www.umkc.edu,O=University of Missouri,ST=Missouri,C=USIssuer CN=InCommon RSA Server CA 2,O=Internet2,C=USValid 2025-06-13T00:00:00Z → 2026-06-13T23:59:59ZExpires in 52 days SANs www.umkc.edu, umkc.biz, umkc.cc, umkc.edu, umkc.info, umkc.org, umkc.us, universityofmissourikansascity.com, universityofmissourikansascity.info, universityofmissourikansascity.net, universityofmissourikansascity.org, www.umkc.biz, www.umkc.cc, www.umkc.info, www.umkc.org, www.umkc.us, www.universityofmissourikansascity.com, www.universityofmissourikansascity.info, www.universityofmissourikansascity.net, www.universityofmissourikansascity.orgSignature SHA384-RSASerial c8f749a99d874312a71caddc56bad64d

Intermediate (CA Certificate)

Subject CN=InCommon RSA Server CA 2,O=Internet2,C=USIssuer CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USValid 2022-11-16T00:00:00Z → 2032-11-15T23:59:59ZExpires in 2399 days Signature SHA384-RSASerial 835b7615206d2d6e097e0b6e409fefc0

Intermediate (CA Certificate)

Subject CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=USIssuer CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GBValid 2019-03-12T00:00:00Z → 2028-12-31T23:59:59ZExpires in 984 days Signature SHA384-RSASerial 3972443af922b751d7d36c10dd313595

A+

Cookie Security

No cookies set — no cookie security risks

PASS

No cookies set — no cookie security risks

No cookies set — no cookie security risks

No cookies detected — no cookie security risks to report.

A+

JS Library Vulnerabilities

No known vulnerabilities

PASS

No known vulnerabilities

No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+

Information Leakage

No exposures

PASS

No exposures

No security.txt found

Consider adding a security.txt at /.well-known/security.txt.

No sensitive files exposed

No sensitive files exposed — all paths returned 404.

Path	Status	Category	Risk
/.git/HEAD	✓ Not found	Version Control	—
/.git/config	✓ Not found	Version Control	—
/.svn/entries	✓ Not found	Version Control	—
/.env	✓ Not found	Configuration	—
/.env.local	✓ Not found	Configuration	—
/.env.production	✓ Not found	Configuration	—
/wp-config.php	✓ Not found	Configuration	—
/.htaccess	✓ Not found	Configuration	—
/phpinfo.php	✓ Not found	Debug	—
/server-status	✓ Not found	Debug	—
/server-info	✓ Not found	Debug	—
/.well-known/security.txt	✓ Not found	Security Policy	—

A

Email Security

DMARC: quarantine

PASS

DMARC: quarantine

DMARC policy is quarantine — good protection

DMARC

Policy quarantine — good protection Record v=DMARC1; p=quarantine; fo=1; rua=mailto:dmarc_agg@vali.email,mailto:mudmarc-reports@missouri.edu; ri=86400; aspf=r; adkim=r; pct=100;

A+

Permissions-Policy

42 directives, 0 missing

PASS

42 directives, 0 missing

accelerometer=() — blocked for all origins

ambient-light-sensor=() — blocked for all origins

autoplay=() — blocked for all origins

battery=() — blocked for all origins

camera=() — blocked for all origins

cross-origin-isolated=() — blocked for all origins

display-capture=() — blocked for all origins

document-domain=() — blocked for all origins

encrypted-media=() — blocked for all origins

execution-while-not-rendered=() — blocked for all origins

execution-while-out-of-viewport=() — blocked for all origins

fullscreen=() — blocked for all origins

geolocation=() — blocked for all origins

gyroscope=() — blocked for all origins

keyboard-map=() — blocked for all origins

magnetometer=() — blocked for all origins

microphone=() — blocked for all origins

midi=() — blocked for all origins

navigation-override=() — blocked for all origins

payment=() — blocked for all origins

picture-in-picture=() — blocked for all origins

publickey-credentials-get=() — blocked for all origins

screen-wake-lock=() — blocked for all origins

sync-xhr=() — blocked for all origins

usb=() — blocked for all origins

web-share=() — blocked for all origins

xr-spatial-tracking=() — blocked for all origins

clipboard-read=() — blocked for all origins

clipboard-write=() — blocked for all origins

gamepad=() — blocked for all origins

speaker-selection=() — blocked for all origins

conversion-measurement=() — blocked for all origins

focus-without-user-activation=() — blocked for all origins

hid=() — blocked for all origins

idle-detection=() — blocked for all origins

interest-cohort=() — blocked for all origins

serial=() — blocked for all origins

sync-script=() — blocked for all origins

trust-token-redemption=() — blocked for all origins

unload=() — blocked for all origins

window-placement=() — blocked for all origins

vertical-scroll=() — blocked for all origins

Raw Header

accelerometer=() ambient-light-sensor=() autoplay=() battery=() camera=() cross-origin-isolated=() display-capture=() document-domain=() encrypted-media=() execution-while-not-rendered=() execution-while-out-of-viewport=() fullscreen=() geolocation=() gyroscope=() keyboard-map=() magnetometer=() microphone=() midi=() navigation-override=() payment=() picture-in-picture=() publickey-credentials-get=() screen-wake-lock=() sync-xhr=() usb=() web-share=() xr-spatial-tracking=() clipboard-read=() clipboard-write=() gamepad=() speaker-selection=() conversion-measurement=() focus-without-user-activation=() hid=() idle-detection=() interest-cohort=() serial=() sync-script=() trust-token-redemption=() unload=() window-placement=() vertical-scroll=()

Feature Permissions

Blocked Self Only Unrestricted Not Set

accelerometer Blocked

ambient-light-sensor Blocked

autoplay Blocked

battery Blocked

camera Blocked

cross-origin-isolated Blocked

display-capture Blocked

document-domain Blocked

encrypted-media Blocked

execution-while-not-rendered Blocked

execution-while-out-of-viewport Blocked

fullscreen Blocked

geolocation Blocked

gyroscope Blocked

keyboard-map Blocked

magnetometer Blocked

microphone Blocked

midi Blocked

navigation-override Blocked

payment Blocked

picture-in-picture Blocked

publickey-credentials-get Blocked

screen-wake-lock Blocked

sync-xhr Blocked

usb Blocked

web-share Blocked

xr-spatial-tracking Blocked

clipboard-read Blocked

clipboard-write Blocked

gamepad Blocked

speaker-selection Blocked

conversion-measurement Blocked

focus-without-user-activation Blocked

hid Blocked

idle-detection Blocked

interest-cohort Blocked

serial Blocked

sync-script Blocked

trust-token-redemption Blocked

unload Blocked

window-placement Blocked

vertical-scroll Blocked

A

Transport Security

HTTP/3, HSTS, and TLS version analysis

PASS

HTTP/3, HSTS, and TLS version analysis

HTTP/3 (QUIC) not advertised

HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.

HSTS enabled (includeSubDomains, preload)

HSTS preload enabled

TLS 1.3 in use (fastest handshake, 1-RTT)

All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback