Security
· 20 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.FContent Security PolicyAction3 of 10 CSP checks passedFIX
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
base-uri 'self'Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.
Learn more ▾ ▴
A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.
Source: MDN CSP
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
frame-ancestors 'self'Security gaps expose your site and users to attacks, eroding trust.
form-action restricts where forms can submit data, preventing form hijacking.
form-action 'self'Security gaps expose your site and users to attacks, eroding trust.
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
upgrade-insecure-requestsWithout upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.
Learn more ▾ ▴
Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.
Source: MDN CSP
Parsed Policy
CSecurity HeadersAction5 of 10 headers properly configuredREVIEW
strict-origin-when-cross-originWeak Referrer-Policy values leak full URLs (with query params, tokens, IDs) to every third-party resource on the page.
Learn more ▾ ▴
Default referrer behavior shares the full referring URL with images, scripts, and other resources from third-party origins. If your URLs contain tokens, session IDs, or user emails (in query strings or paths), every third-party tracker gets them. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter).
Source: MDN Referrer-Policy / W3C
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
geolocation=(), camera=(), microphone=()Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.
Learn more ▾ ▴
By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.
Source: MDN / W3C
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
same-originCOOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
require-corpCOEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
This header discloses server technology (e.g. Express, PHP), helping attackers target known vulnerabilities. Remove it.
X-Powered-By: PHP/7.4.3 advertises your stack to attackers — disable it.
Learn more ▾ ▴
X-Powered-By and similar headers (X-AspNet-Version, X-Runtime) tell attackers which versions to target. Disable in your server/framework config: PHP `expose_php=Off`, ASP.NET `<httpRuntime enableVersionHeader="false">`, Express `app.disable('x-powered-by')`.
Source: OWASP
BWAF / Bot ProtectionNo WAF detected via response headersREVIEW
Csecurity.txtActionNo security.txt file foundREVIEW
security.txt
No security.txt found at /.well-known/security.txt
BCSP Inline-Style Readiness2 inline style attribute(s) detectedREVIEW
BTrusted Types (XSS Sink Hardening)Trusted Types not enabledREVIEW
CEmail SecurityActionDMARC: quarantine, DKIMREVIEW
MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.
Without MTA-STS, inbound mail can be silently downgraded to plain SMTP by a network attacker.
Learn more ▾ ▴
MTA-STS (RFC 8461) tells sending mail servers to use TLS and to refuse delivery if TLS fails. Requires both a TXT record at _mta-sts.<domain> AND a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Without it, an active attacker on the network path can strip STARTTLS and read the email in plaintext.
Source: RFC 8461
TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.
Without TLS-RPT, you have no visibility into inbound TLS failures — MTA-STS misconfigurations stay hidden until users complain.
Learn more ▾ ▴
TLS-RPT (RFC 8460) is the feedback channel for MTA-STS: senders post aggregate reports of TLS-handshake failures to the URI in your _smtp._tls TXT record. Without it, an MTA-STS misconfiguration silently rejects mail and you find out only when someone notices missing email.
Source: RFC 8460
CPermissions-PolicyAction0 directives, 5 missingREVIEW
Raw Header
Feature Permissions
BCORS ConfigurationNo CORS headersREVIEW
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
A+TLS & CertificatesTLS 1.3, 7 checks passedPASS
HTTP/2 provides multiplexing and header compression for better performance.
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Without stapling, the browser performs a separate OCSP roundtrip on first connection -- adding latency and leaking the visited host to the CA. Enable OCSP stapling on your TLS server.
Without OCSP stapling, every first-time visitor pays an extra OCSP roundtrip — and the CA learns who's visiting your site.
Learn more ▾ ▴
OCSP stapling has the server fetch its own revocation status from the CA and attach the signed response to the TLS handshake. Without it, browsers contact the CA directly: extra latency for the user and a privacy leak (the CA sees who connected). Enable ssl_stapling on (nginx) / SSLUseStapling On (Apache) / OCSPStapling = on (Caddy auto-enables).
Source: RFC 6961 / Mozilla Server-Side TLS guide
Certificate Chain
A+Cross-Origin Tab SafetyAll 1 new-tab link(s) carry rel=noopenerPASS
A+Source Map ExposureSource-map probe didn't run on this scanPASS
A+HTML Version DisclosureNo software-version disclosures in HTMLPASS
A+Open Redirect SurfaceNo redirect-shaped query parameters in DOM linksPASS
A+Subdomain Inventory ExposureNo risky subdomain names in certificate SANsPASS
A+Subresource IntegrityNo external resourcesPASS
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✓ Not found | Security Policy | — |
| /package.json | ✓ Not found | dependency-manifest | — |
| /composer.json | ✓ Not found | dependency-manifest | — |
| /Gemfile | ✓ Not found | dependency-manifest | — |
| /Gemfile.lock | ✓ Not found | dependency-manifest | — |
| /requirements.txt | ✓ Not found | dependency-manifest | — |
| /pom.xml | ✓ Not found | dependency-manifest | — |
| /.gitlab-ci.yml | ✓ Not found | ci-config | — |
| /.travis.yml | ✓ Not found | ci-config | — |