Skip to content
https://twincities.com

Security

· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
66
GRADE
D
FIX
6
REVIEW
1
PASS
5
INFO
0
Checks
12
5 PASS 1 REVIEW 6 FIX
D
Security Headers
Action
4 of 10 headers properly configured
FIX
4 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured (consider adding preload)
Got: max-age=31536000;includeSubdomains
Warning::
X-Content-Type-Options header is missing
This header prevents MIME-type sniffing, which can lead to XSS attacks. Set it to 'nosniff'.
Expected: nosniff
Warning::
X-Frame-Options header is missing
This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.
Expected: DENY
Warning::
Referrer-Policy header is missing
Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.
Expected: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: nginx

This header prevents MIME-type sniffing, which can lead to XSS attacks. Set it to 'nosniff'.

Expected: nosniff
Why this matters

MIME sniffing lets browsers run uploaded files as JavaScript, turning a file upload into an XSS.

Learn more

Setting X-Content-Type-Options: nosniff tells browsers to trust your declared Content-Type instead of guessing. Without it, an attacker who uploads a polyglot file can sometimes get it executed as a script. One header, no downside.

Source: OWASP / MDN

This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.

Expected: DENY
Why this matters

Without frame protection, your site can be embedded in a hostile page and used for clickjacking.

Learn more

Clickjacking overlays your site under a transparent malicious page so users click invisible buttons. Setting X-Frame-Options: DENY (or a modern frame-ancestors CSP directive) blocks the embedding entirely. There's almost never a legitimate reason to allow it.

Source: OWASP / MDN

Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.

Expected: strict-origin-when-cross-origin
Why this matters

Default browser behavior leaks full URLs (including query params and tokens) to every third-party resource — set a strict policy.

Learn more

Without a Referrer-Policy header, browsers send the full referring URL with images, scripts, and fonts loaded from third-party origins. URLs containing tokens, user IDs, or session params end up in third-party logs. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter) to limit leakage.

Source: MDN / W3C

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

F
Content Security Policy
Action
3 of 10 CSP checks passed
FIX
3 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: *.visualwebsiteoptimizer.com; style-src 'unsafe-inline' https: *.visualwebsiteoptimizer.com app.vwo.com; img-src data: https: blob: *.visualwebsiteoptimizer.com app.vwo.com useruploads.vwo.io; font-src data: https:; connect-src https: data: blob: *.visualwebsiteoptimizer.com app.vwo.com; media-src blob: data: https:; object-src https:; child-src https: data: blob: 'self' *.visualwebsiteoptimizer.com app.vwo.com; upgrade-insecure-requests; block-all-mixed-content;
Info::
default-src directive is set
Got: default-src data: 'unsafe-inline' 'unsafe-eval' https:
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: *.visualwebsiteoptimizer.com
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: *.visualwebsiteoptimizer.com
Info::
No wildcard in script source
Warning::
object-src allows plugin content
Set object-src to 'none' to prevent Flash/Java plugin exploits.
Got: object-src https: Expected: object-src 'none'
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Warning::
frame-ancestors directive is missing
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected: frame-ancestors 'self'
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is enabled

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

Set object-src to 'none' to prevent Flash/Java plugin exploits.

Expected: object-src 'none'
Why this matters

object-src open in CSP allows Flash/PDF/plugin embedding — a now-deprecated attack vector that should be explicitly blocked.

Learn more

object-src controls <object>, <embed>, and <applet> elements. Modern sites have no need for plugins; setting `object-src 'none'` blocks an entire class of legacy XSS vectors at zero cost. If your CSP missed it, add the directive.

Source: MDN CSP

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'
Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

Parsed Policy

default-src data:'unsafe-inline''unsafe-eval'https:
script-src data:'unsafe-inline''unsafe-eval'https:blob:*.visualwebsiteoptimizer.com
style-src 'unsafe-inline'https:*.visualwebsiteoptimizer.comapp.vwo.com
img-src data:https:blob:*.visualwebsiteoptimizer.comapp.vwo.comuseruploads.vwo.io
font-src data:https:
connect-src https:data:blob:*.visualwebsiteoptimizer.comapp.vwo.com
media-src blob:data:https:
object-src https:
child-src https:data:blob:'self'*.visualwebsiteoptimizer.comapp.vwo.com
upgrade-insecure-requests
block-all-mixed-content
F
Subresource Integrity
Action
0 of 107 external resources have SRI
FIX
0 of 107 external resources have SRI
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-NFD2QGD&l=MG2DL
Warning::
External script from sb.scorecardresearch.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sb.scorecardresearch.com/c2/6035443/cs.js
Warning::
External script from nexus.ensighten.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://nexus.ensighten.com/choozle/3838/code/4a0c49c6c37e8dc3aeb5f0b0735f034f.js?conditionId0=504115
Warning::
External script from nexus.ensighten.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://nexus.ensighten.com/choozle/3838/code/2fd5f4edbc2a3f9c8e21b73ac38b4527.js?conditionId0=421905
Warning::
External script from rules.quantcount.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://rules.quantcount.com/rules-p-62Ax3SmBbHalA.js
Warning::
External script from launchpad.privacymanager.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://launchpad.privacymanager.io/latest/launchpad.bundle.js
Warning::
External script from tagan.adlightning.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://tagan.adlightning.com/mng-trib/bl-0d6ee0c-4b0d2586.js
Warning::
External script from tagan.adlightning.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://tagan.adlightning.com/mng-trib/b-682065e-27e6b6d7.js
Warning::
External script from nexus.ensighten.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://nexus.ensighten.com/choozle/3838/serverComponent.php?namespace=Bootstrapper&staticJsPath=nexus.ensighten.com/choozle/3838/code/&publishedOn=Sat Oct 21 01:47:12 GMT 2023&ClientID=923&PageID=https%3A%2F%2Fwww.twincities.com%2F
Warning::
External script from sdk.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sdk.mrf.io/statics/marfeel-sdk.es5.js?id=5546
Warning::
External script from sdk.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sdk.mrf.io/statics/marfeel-sdk.js?id=5546
Warning::
External script from secure.quantserve.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://secure.quantserve.com/quant.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-80YFSW41HT&cx=c&gtm=4e64k0
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-TLFP4R
Warning::
External script from js.matheranalytics.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://js.matheranalytics.com/s/ma23578/239876515/wp/ml.js?cb=1714
Warning::
External script from thebestpaints.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://thebestpaints.com/kh3p4bzvc6he.app.js
Warning::
External link from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/themes/wp-mason/dist/css/styleOsanoCustom.min.css?m=1767992576g
Warning::
External link from htlbid.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://htlbid.com/v3/twincities.com/htlbid.css?ver=6.9.4
Warning::
External link from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/client-mu-plugins/src/Sitemap/includes/style.css?m=1764612877g
Warning::
External link from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/plugins/mng-digisubs/static/mng-digisubs.styles.css?ver=1776895834
Warning::
External link from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/_static/??-eJx9zEEKAjEMheELGeOAZdyIeJSZTmgDbVImKTK3twiCKxePH97iw1eDqOIkjrHwCNQOrfTEYvhtlQRGCrmvuJiRG0Yb03bsnLKDqHOk8zhP+Fe0PeJzs1+l6sqFYNkyGauA+VE+1KPep3kO0/UWLuENSbQ+Sw==
Warning::
External link from fonts.googleapis.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fonts.googleapis.com/css?family=Noto+Sans%3A400%2C700%7CNoto+Serif%3A400%2C400i%2C700%2C700i%7CArvo%3A400%2C400i%2C700%2C700i&display=swap&ver=6.9.4
Warning::
External link from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/themes/assets/static/css/boldcoastal.css?m=1776895835g
Warning::
External link from cdn.jsdelivr.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //cdn.jsdelivr.net/npm/bootstrap-icons@1.5.0/font/bootstrap-icons.min.css?ver=5.2.0
Warning::
External link from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/plugins/dfm-ad-mods/dist/css/style.min.css?m=1764612879g
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/client-mu-plugins/src/Auth0/assets/dist/auth0-session-storage.min.js?ver=1.0.4
Warning::
External script from cmp.osano.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cmp.osano.com/16A1AnRt2Fn8i1unj/1edc45d9-1a78-48b2-9035-037b31df744a/osano.js
Warning::
External script from ajax.googleapis.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js?ver=3.5.1
Warning::
External script from htlbid.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://htlbid.com/v3/twincities.com/htlbid.js?ver=6.9.4
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/client-mu-plugins/src/SSO/assets/js/sso-tools.min.js?m=1764612877g
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/plugins/loader-wp/static/loader.min.js?ver=1.6.4
Warning::
External script from az416426.vo.msecnd.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/_static/??-eJydzD0OwjAMQOELkViIn5YBcQFWDpA0luUqcaPYUeH2sCB1YGJ90vdgrW5axFAMau7EopCXkLC5tYJaMJ4AhQLhnWML7eULi591Bz9kEXKJibVH/eJt84pmLKQ+dkkZ//58gODTHsZ587qV634YzuPlNB6O8xveVVH9
Warning::
External script from cdn.auth0.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.auth0.com/js/auth0-spa-js/1.13/auth0-spa-js.production.js?ver=6.9.4
Warning::
External script from accounts.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://accounts.google.com/gsi/client?ver=6.9.4
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/_static/??-eJylzEsKgDAMBNALaYP4X4hbr1G1lEgbxaTo8a0rcaurgWHmwbGl00piSGBzwSIxeLLpjBY5jAwsWnB6dcprJDUGmp1RCyfwxYgHMqf8ZeIYxRkfk/9aAQd9A/sD9b7L6rpq2rLJi+UCv9NxKg==
Warning::
External script from f703.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://f703.twincities.com/script.js
Warning::
External script from prodmg2.blob.core.windows.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://prodmg2.blob.core.windows.net/newsletterwidget/mng/dfm/MG2Widget-newsletterwidget-nojquery.min.js
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/_static/??-eJyNzMsOAiEMheEXEhrjZcaFceGTMIBQpIXYEl/f0Z2JC3cnJ/l+eHbjG2tkhV5HQhYINzIuGGph3SgKRSBnqdcc/d0Ssi2ygR+QOJmACWUsAk4kqryttJ4RyGmOj7+5qFP0X5/9hOwyONS4Ri503k7TcT4d5t2+vAD/0kpj
Warning::
External script from cdn.sophi.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.sophi.io/assets/demeter/1/stable/1237740280.js?ver=6.9.4
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/plugins/mng-digisubs/static/mng-digisubs.articleShare.bundle.js?m=1776895834g
Warning::
External link from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/mu-plugins/jetpack-15.5/modules/widgets/top-posts/style.css?m=1776195303g
Warning::
External script from fp.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fp.twincities.com/prod/dfm/fp.min.js?2026322
Warning::
External script from g2i.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://g2i.twincities.com/prod/dfm/g2i.min.js?2026322
Warning::
External script from engage.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://engage.twincities.com/prod/dfm/t8y9347t.min.js?2026322
Warning::
External link from engage.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://engage.twincities.com/prod/dfm/t8y9347t.min.css?2026322
Warning::
External script from cdn-p.cityspark.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //cdn-p.cityspark.com/wid/11279.jsx?b=592298862&on=aHR0cHM6Ly93d3cudHdpbmNpdGllcy5jb20v&callback=jsonp11279
Warning::
External link from accounts.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://accounts.google.com/gsi/style
Warning::
External script from cds.connatix.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //cds.connatix.com/p/plugins/prebid-cache-scraper-3.js
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-includes/js/wp-emoji-release.min.js?ver=6.9.4
Warning::
External script from securepubads.g.doubleclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Warning::
External script from tagan.adlightning.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://tagan.adlightning.com/mng-trib/op.js
Warning::
External script from launchpad-wrapper.privacymanager.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://launchpad-wrapper.privacymanager.io/70bb23e5-a2a7-414e-b709-7066b1333c83/launchpad-liveramp.js
Warning::
External script from raven-edge.aditude.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://raven-edge.aditude.io/raven/medianewsgroup-main-vIqAa/library.js
Warning::
External script from c.amazon-adsystem.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://c.amazon-adsystem.com/aax2/apstag.js
Warning::
External script from marfeelexperimentsexperienceengine.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://marfeelexperimentsexperienceengine.mrf.io/experimentsexperience/render?siteId=5546&url=https%3A%2F%2Fwww.twincities.com%2F&experimentType=HeadlineAB&lang=es&version=esnext
Warning::
External script from marfeelexperimentsexperienceengine.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://marfeelexperimentsexperienceengine.mrf.io/experimentsexperience/render?siteId=5546&url=https%3A%2F%2Fwww.twincities.com%2F&experimentType=HeadlineAB&lang=es&version=legacy
Warning::
External script from cdn.sophi.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.sophi.io/assets/demeter/1/stable/1237740280/extensions.js
Warning::
External script from googleads.g.doubleclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://googleads.g.doubleclick.net/pagead/viewthroughconversion/11039248159/?random=1776896588891&cv=11&fst=1776896588891&bg=ffffff&guid=ON&async=1&en=gtag.config&gtm=45be64k0v898335060za200zd898335060xec&gcd=13l3l3l3l5l1&dma=0&tcfd=10000&tag_exp=0~115938465~115938469~117266400&u_w=800&u_h=600&url=https%3A%2F%2Fwww.twincities.com%2F&rcb=15&frm=0&tiba=St.%20Paul%20News%2C%20Sports%20and%20Things%20To%20Do%20%7C%20Pioneer%20Press&hn=www.googleadservices.com&npa=0&us_privacy=1---&pscdl=noapi&auid=1928589238.1776896589&uaa=x86&uab=64&uafvl=Not-A.Brand%3B24.0.0.0%7CChromium%3B146.0.7680.164&uamb=0&uam=&uap=Linux&uapv=&uaw=0&gpp=DBACOe~CQjEJsAQjEJsAEXyIAENCbFgAAAAAEPgACiQAAAPjgIgAcABAACQAGgARQAmABoAEcAK0AZYBAACDgKlAXmA0UBywD4wAAAA.IHxwIgAFAANgAwADIAHAAQAAkABaADQAHQAPQAigBMACgAFIALYAXgAwgBogEcAR4AlABOgCtAGWAPEAgABBwFRAKlAXmAxkBooDjgHLAPjA~BQjEJsAQjEJsAEXyIAENCbFAAAAAAIfAAAAAA-OAiABwAEAAJAAaABFACYAGgARwArQBlgEAAIOAqUBeYDRQHLAPjAAA.IHxwIgAFAANgAwADIAHAAQAAkABaADQAHQAPQAigBMACgAFIALYAXgAwgBogEcAR4AlABOgCtAGWAPEAgABBwFRAKlAXmAxkBooDjgHLAPjA~1YN-&gpp_sid=6&data=event%3Dgtag.config&rfmt=3&fmt=4
Warning::
External script from sdk.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sdk.mrf.io/statics/compass-multimedia-sdk.js?version=2262
Warning::
External script from sdk.mrf.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://sdk.mrf.io/statics/compass-multimedia-sdk.es5.js?version=2262
Warning::
External script from jadserve.postrelease.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://jadserve.postrelease.com/t?ntv_mvi=&ntv_url=https%253A%252F%252Fwww.twincities.com%252F
Warning::
External script from d15kdpgjg3unno.cloudfront.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://d15kdpgjg3unno.cloudfront.net/oPS.js?cid=115
Warning::
External script from raven-static.aditude.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://raven-static.aditude.io/prod/1.19.14-y0ptsc/raven.js
Warning::
External script from securepubads.g.doubleclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://securepubads.g.doubleclick.net/pagead/managed/js/gpt/m202604170101/pubads_impl.js?cb=31097946
Warning::
External script from ads.pubmatic.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://ads.pubmatic.com/AdServer/js/pwt/160835/4933/pwt.js
Warning::
External script from config.aps.amazon-adsystem.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://config.aps.amazon-adsystem.com/configs/3391
Warning::
External script from fundingchoicesmessages.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fundingchoicesmessages.google.com/i/8013?ers=3
Warning::
External script from secure.cdn.fastclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //secure.cdn.fastclick.net/js/pubcid/latest/pubcid.min.js
Warning::
External script from cdn-ima.33across.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn-ima.33across.com/ima.js
Warning::
External script from cdn.id5-sync.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //cdn.id5-sync.com/api/1.0/id5-api.js
Warning::
External script from secure.cdn.fastclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://secure.cdn.fastclick.net/js/cnvr-launcher/latest/launcher-stub.min.js
Warning::
External script from secure.cdn.fastclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://secure.cdn.fastclick.net/js/cnvr-launcher/latest/launcher.min.js
Warning::
External script from fundingchoicesmessages.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fundingchoicesmessages.google.com/f/AGSKWxUVLgZZTsz__K0SkTTw4njZceMGFPPiAj91txFtt-sxCLXcX1CWzlVS9D_AXw3hBacIzxInmCK3zziQDlBr27gHTJ6epKYTH5o5jzxoiP3x0gQBhtiQg3vKlC3cuYTXgRnOlsHYPQ==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzc2ODk2NTkxLDQ1NDAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzddXSwiaHR0cHM6Ly93d3cudHdpbmNpdGllcy5jb20vIixudWxsLFtbOCwicFNKa28xOTZJSDAiXSxbOSwiZW4tVVMiXSxbMTgsIltbW251bGwsNDkzOV1dXSJdLFszNSwiMTc3Njg5NjU5MSJdLFsxOSwiMiJdLFsxNywiWzBdIl0sWzI0LCIiXSxbMjksImZhbHNlIl1dXQ
Warning::
External script from static.criteo.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.criteo.net/js/ld/publishertag.ids.js
Warning::
External script from cdn.mgaru.dev lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.mgaru.dev/static/myGaruStandalone.js
Warning::
External script from tags.crwdcntrl.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://tags.crwdcntrl.net/lt/c/16589/sync.min.js
Warning::
External script from cdn.jsdelivr.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.jsdelivr.net/gh/prebid/shared-id/pubcid.js/docs/pubcid.min.js
Warning::
External script from oa.openxcdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://oa.openxcdn.net/esp.js
Warning::
External script from connectid.analytics.yahoo.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://connectid.analytics.yahoo.com/connectId-gpt.js
Warning::
External script from ads.pubmatic.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://ads.pubmatic.com/AdServer/js/google-esp.js
Warning::
External script from cdn.id5-sync.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.id5-sync.com/api/1.0/esp.js
Warning::
External script from invstatic101.creativecdn.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://invstatic101.creativecdn.com/encrypted-signals/encrypted-tag-g.js
Warning::
External script from fundingchoicesmessages.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fundingchoicesmessages.google.com/f/AGSKWxVE64Io4j_6hGu6eSZRDnt60qYwdas6ZU0VryZ9P9_gGCL4M2fP3Oo6HZ--0nN_6__zZ7jlIc6_3WnsTS0uYIkiWzMgWfl3bgT7UsourlHQloWZnpRYfBschOMn0mosSw4_83OMaQ==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzc2ODk2NTkxLDg2OTAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzcsOV0sbnVsbCwyLG51bGwsImVuIl0sImh0dHBzOi8vd3d3LnR3aW5jaXRpZXMuY29tLyIsbnVsbCxbWzgsInBTSmtvMTk2SUgwIl0sWzksImVuLVVTIl0sWzE4LCJbW1tudWxsLDQ5MzldXV0iXSxbMzUsIjE3NzY4OTY1OTEiXSxbMTksIjIiXSxbMTcsIlswXSJdLFsyNCwiIl0sWzI5LCJmYWxzZSJdXV0
Warning::
External script from secure.cdn.fastclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://secure.cdn.fastclick.net/js/cnvr-coreid/latest/coreid.min.js
Warning::
External script from cdn.jsdelivr.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.jsdelivr.net/npm/web-vitals@3/dist/web-vitals.attribution.iife.js
Warning::
External script from az416426.vo.msecnd.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Warning::
External script from connext-fd-gnbrate4fjhjb3f7.z01.azurefd.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //connext-fd-gnbrate4fjhjb3f7.z01.azurefd.net/index.js
Warning::
External script from cdn.adapex.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.adapex.io/hb/aaw.empowerlocal_d.js
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/_static/??-eJyVj8EKwjAQRH/IdlG07UU8ePHiR4QmNluT3dDdKPbrjYKiF8HjDPOYGbimqmdSRwrqXXQCxYlGmMCiKIwCLIZ4n0U51hGpHmUBH1gKeUASiDRUXsMbK/qg4chWflHJszKdMAS4OLI8QcJe8+Qe1n9gMPNNcHZffUh9yLbcKoueyzzz+ZXYxe2ybdfNqum6zXgHXmRkBw==
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-includes/js/dist/i18n.min.js?ver=c26c3dc7bed366793375
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/mu-plugins/wp-parsely-3.23/build/loader.js?m=1776195311g
Warning::
External script from cdn.parsely.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.parsely.com/keys/twincities.com/p.js?ver=3.23.1
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/themes/wp-mason/dist/js/ads.min.js?ver=1.0
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/_static/??-eJyVz90KwjAMBeAXsgsqc/NCZJc+Rtd2NSNthokO397phT8gQy9z4DucwDgYx1lDVtBjSEHAigQVELWKDnqBgenaIZEUCXPRywJ+QC2Td2yngGbYlCQrnMGj6J0RRz6k2KievrGBzhGzgO+Ssd4k9vJGrW8eM/6VssoX9IHnnKAG83HoiNmhYngVReL2+e8+7ZZVtam3Zb0u+xshCoX0
Warning::
External script from s.ntv.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s.ntv.io/serve/load.js
Warning::
External script from applepay.cdn-apple.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://applepay.cdn-apple.com/jsapi/1.latest/apple-pay-sdk.js
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/plugins/mng-digisubs/static/mng-digisubs.apple.bundle.js?m=1776895834g
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/plugins/mng-cache-control/Src/assets/dist/mng-cache-control-adminbar.js?ver=0.2.1
Warning::
External script from stats.wp.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://stats.wp.com/e-202617.js
Warning::
External script from cdn.p-n.io lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.p-n.io/pushly-sdk.min.js?domain_key=Ldx0NlMMeaMEuJQrfAtJEywKrH16ay98Y3EO&ver=6.9.4
Warning::
External script from delivery.revcontent.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://delivery.revcontent.com/190264/284223/widget.js?ver=6.9.4
Warning::
External script from www.twincities.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.twincities.com/wp-content/themes/wp-mason/dist/js/obitModals.min.js?m=1772037764g
Warning::
External script from cdn.cityspark.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //cdn.cityspark.com/wid/get.js?ver=6.9.4
Warning::
External script from nexus.ensighten.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //nexus.ensighten.com/choozle/3838/Bootstrap.js
Warning::
External script from b-code.liadm.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //b-code.liadm.com/a-05gm.min.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=AW-11039248159
SRI Coverage 0 / 107 of external resources have integrity hashes
TagDomainIntegrity
<script>www.googletagmanager.com Missing
<script>sb.scorecardresearch.com Missing
<script>nexus.ensighten.com Missing
<script>nexus.ensighten.com Missing
<script>rules.quantcount.com Missing
<script>launchpad.privacymanager.io Missing
<script>tagan.adlightning.com Missing
<script>tagan.adlightning.com Missing
<script>nexus.ensighten.com Missing
<script>sdk.mrf.io Missing
<script>sdk.mrf.io Missing
<script>secure.quantserve.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>js.matheranalytics.com Missing
<script>thebestpaints.com Missing
<link>www.twincities.com Missing
<link>htlbid.com Missing
<link>www.twincities.com Missing
<link>www.twincities.com Missing
<link>www.twincities.com Missing
<link>fonts.googleapis.com Missing
<link>www.twincities.com Missing
<link>cdn.jsdelivr.net Missing
<link>www.twincities.com Missing
<script>www.twincities.com Missing
<script>cmp.osano.com Missing
<script>ajax.googleapis.com Missing
<script>htlbid.com Missing
<script>www.twincities.com Missing
<script>www.twincities.com Missing
<script>az416426.vo.msecnd.net Missing
<script>www.twincities.com Missing
<script>cdn.auth0.com Missing
<script>accounts.google.com Missing
<script>www.twincities.com Missing
<script>f703.twincities.com Missing
<script>prodmg2.blob.core.windows.net Missing
<script>www.twincities.com Missing
<script>cdn.sophi.io Missing
<script>www.twincities.com Missing
<link>www.twincities.com Missing
<script>fp.twincities.com Missing
<script>g2i.twincities.com Missing
<script>engage.twincities.com Missing
<link>engage.twincities.com Missing
<script>cdn-p.cityspark.com Missing
<link>accounts.google.com Missing
<script>cds.connatix.com Missing
<script>www.twincities.com Missing
<script>securepubads.g.doubleclick.net Missing
<script>tagan.adlightning.com Missing
<script>launchpad-wrapper.privacymanager.io Missing
<script>raven-edge.aditude.io Missing
<script>c.amazon-adsystem.com Missing
<script>marfeelexperimentsexperienceengine.mrf.io Missing
<script>marfeelexperimentsexperienceengine.mrf.io Missing
<script>cdn.sophi.io Missing
<script>googleads.g.doubleclick.net Missing
<script>sdk.mrf.io Missing
<script>sdk.mrf.io Missing
<script>jadserve.postrelease.com Missing
<script>d15kdpgjg3unno.cloudfront.net Missing
<script>raven-static.aditude.io Missing
<script>securepubads.g.doubleclick.net Missing
<script>ads.pubmatic.com Missing
<script>config.aps.amazon-adsystem.com Missing
<script>fundingchoicesmessages.google.com Missing
<script>secure.cdn.fastclick.net Missing
<script>cdn-ima.33across.com Missing
<script>cdn.id5-sync.com Missing
<script>secure.cdn.fastclick.net Missing
<script>secure.cdn.fastclick.net Missing
<script>fundingchoicesmessages.google.com Missing
<script>static.criteo.net Missing
<script>cdn.mgaru.dev Missing
<script>tags.crwdcntrl.net Missing
<script>cdn.jsdelivr.net Missing
<script>oa.openxcdn.net Missing
<script>connectid.analytics.yahoo.com Missing
<script>ads.pubmatic.com Missing
<script>cdn.id5-sync.com Missing
<script>invstatic101.creativecdn.com Missing
<script>fundingchoicesmessages.google.com Missing
<script>secure.cdn.fastclick.net Missing
<script>cdn.jsdelivr.net Missing
<script>az416426.vo.msecnd.net Missing
<script>connext-fd-gnbrate4fjhjb3f7.z01.azurefd.net Missing
<script>cdn.adapex.io Missing
<script>www.twincities.com Missing
<script>www.twincities.com Missing
<script>www.twincities.com Missing
<script>cdn.parsely.com Missing
<script>www.twincities.com Missing
<script>www.twincities.com Missing
<script>s.ntv.io Missing
<script>applepay.cdn-apple.com Missing
<script>www.twincities.com Missing
<script>www.twincities.com Missing
<script>stats.wp.com Missing
<script>cdn.p-n.io Missing
<script>delivery.revcontent.com Missing
<script>www.twincities.com Missing
<script>cdn.cityspark.com Missing
<script>nexus.ensighten.com Missing
<script>b-code.liadm.com Missing
<script>www.googletagmanager.com Missing
D
Email Security
Action
DMARC: none
FIX
DMARC: none
Warning::
DMARC policy is none — monitoring only
This only monitors, it doesn't block spoofed emails. Change to p=quarantine or p=reject.
DMARC
Policy none — monitoring only, does not block spoofing Record v=DMARC1; p=none; pct=100

This only monitors, it doesn't block spoofed emails. Change to p=quarantine or p=reject.

Why this matters

DMARC p=none collects reports but doesn't actually block spoofed mail — phishing emails still reach inboxes.

Learn more

DMARC's three policies are p=none (monitor only), p=quarantine (mark as spam), and p=reject (bounce). Most domains start at p=none to gather data, but stay there forever, leaving spoofers unblocked. After 30 days of clean DMARC reports, graduate to p=quarantine, then p=reject.

Source: DMARC.org / NIST

D
Permissions-Policy
Action
No header set
FIX
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
D
security.txt
Action
No /.well-known/security.txt published
FIX

security.txt

No security.txt found at /.well-known/security.txt

B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
A+
TLS & Certificates
TLS 1.3, 7 checks passed
PASS
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_CHACHA20_POLY1305_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 52 days)
Got: 2026-06-14T02:42:28Z
Info::
Certificate chain has 2 certificates
Info::
Certificate uses modern signature algorithm
Got: ECDSA-SHA384
Info::
Certificate covers 2 domain(s)
Got: twincities.com, www.twincities.com
Info::
Certificate is issued by a trusted CA
Got: CN=E7,O=Let's Encrypt,C=US

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.3
Cipher Suite
TLS_CHACHA20_POLY1305_SHA256
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=twincities.comIssuer CN=E7,O=Let's Encrypt,C=USValid 2026-03-16T02:42:29Z → 2026-06-14T02:42:28ZExpires in 52 days SANs twincities.com, www.twincities.comSignature ECDSA-SHA384Serial 6ae40447873655697d578dce4d4f05e1b0f
Intermediate (CA Certificate)
Subject CN=E7,O=Let's Encrypt,C=USIssuer CN=ISRG Root X1,O=Internet Security Research Group,C=USValid 2024-03-13T00:00:00Z → 2027-03-12T23:59:59ZExpires in 324 days Signature SHA256-RSASerial aa75f1e62b8f0a220966d38bbfd4baa1
A+
Cookie Security
No cookies set — no cookie security risks
PASS
No cookies set — no cookie security risks
Info::
No cookies set — no cookie security risks

No cookies detected — no cookie security risks to report.

A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
No security.txt found
Consider adding a security.txt at /.well-known/security.txt.
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt Not foundSecurity Policy
A
Transport Security
HTTP/3, HSTS, and TLS version analysis
PASS
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (includeSubDomains)
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback