https://bing.com
Security
· 32 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.SCORE
79
GRADE
C
FIX
5
REVIEW
10
PASS
17
INFO
0
Checks
3217 PASS 10 REVIEW 5 FIX
FEmpty Page DetectionAction1 empty-page signal(s) detected -- page may be a placeholder or have content-rendering bugsFIX
Empty Page Detection
Action1 empty-page signal(s) detected -- page may be a placeholder or have content-rendering bugs
1 empty-page signal(s) detected -- page may be a placeholder or have content-rendering bugs
Critical::
Page body has only 32 chars of text -- likely empty / placeholder
After HTML stripping, the page body contains 32 characters of text content. Below 200 chars almost always means: (1) the page is a placeholder that was never filled in, (2) JavaScript was supposed to render content but failed, (3) the page is a redirect / interstitial / wrapper that should have a real status code other than 200, or (4) it's a legitimately small page like a single-form login (in which case this finding is a false positive that confirms 'minimal content' is intentional).
Review the page in a browser. If content is missing, the most common root cause is a JS-rendering pipeline that needs prerendering or server-side rendering for crawlers / scanners to capture content.
Got: 32 chars
FSubresource Integrity AdoptionAction0% SRI adoption (0/41 third-party resources)FIX
Subresource Integrity Adoption
Action0% SRI adoption (0/41 third-party resources)
0% SRI adoption (0/41 third-party resources)
Warning::
SRI adoption: 0/41 third-party resources protected (0%)
Of 41 third-party `<script>` / `<link rel=stylesheet>` resources, 0 (0%) declare a Subresource Integrity hash via the `integrity=` attribute. SRI binds the page to the exact bytes of the third-party resource: if the CDN is compromised, attacker-modified bytes won't match the declared hash and the browser refuses to execute the resource.
Missing SRI on (first 5 examples):
- https://r.bing.com/rs/2F/K/cc,nc/--1W9A1f5-07ByL9YFMiY5p9LQU.css?or=w
- https://r.bing.com/rs/4r/gL/cc,nc/07goh3UcBfqcS932cBgUIxdsGJA.css?or=w
- https://r.bing.com/rs/4r/go/cc,nc/X4V-IGCTgDxO69tbgGcZokQyezI.css?or=w
- https://r.bing.com/rb/2B/cir3,cc,nc/t6ilQvdm1Kf1VaabvAwljycjim4.css?bu=CPUB-AGZAqsCnAKcApwC5AI&or=w
- https://r.bing.com/rs/2B/5e/cir3,cc,nc/SU2qk8mq2PGo0FyvuJ0i_tgG07Y.css?or=w
Fix: add `integrity="sha384-..."` and `crossorigin="anonymous"` attributes. Generators: srihash.org, or in-browser via `await crypto.subtle.digest('SHA-384', bytes)`. Cache-bust the resource URL when you change versions, since the integrity hash will mismatch with old cached bytes.
Got: 0% (0/41)
FPermissions-Policy GranularityAction0% high-risk feature coverage (0/10)FIX
Permissions-Policy Granularity
Action0% high-risk feature coverage (0/10)
0% high-risk feature coverage (0/10)
Warning::
Permissions-Policy covers 0/10 high-risk features (0%)
The Permissions-Policy header explicitly declares policies for 0/10 high-risk features.
Covered:
Not declared (default-allow): camera, microphone, geolocation, payment, usb, serial, midi, accelerometer, gyroscope, magnetometer
The non-declared features fall back to their spec-default policy (usually `self`), which means an XSS-injected or compromised iframe could request them. For features the page genuinely doesn't use, declare `feature=()` to fully close them.
Got: 0% (0/10)
FSubresource IntegrityAction0 of 41 external resources have SRIFIX
Subresource Integrity
Action0 of 41 external resources have SRI
0 of 41 external resources have SRI
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/2F/K/cc,nc/--1W9A1f5-07ByL9YFMiY5p9LQU.css?or=w
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/4r/gL/cc,nc/07goh3UcBfqcS932cBgUIxdsGJA.css?or=w
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/4r/go/cc,nc/X4V-IGCTgDxO69tbgGcZokQyezI.css?or=w
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rb/2B/cir3,cc,nc/t6ilQvdm1Kf1VaabvAwljycjim4.css?bu=CPUB-AGZAqsCnAKcApwC5AI&or=w
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/2B/5e/cir3,cc,nc/SU2qk8mq2PGo0FyvuJ0i_tgG07Y.css?or=w
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/2B/51/cir3,cc,nc/x1HBFj_cCKGs7_W8sQu1qIG08Ds.css?or=w
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/2B/55/cc,nc/W_tjkOUJlG31h5vtzZZ5zq_W7v4.css?or=w
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/wczR3URZR4-oWjjc5idYK8_hr54.br.css
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/QA01mMR8jFPRQt-lGbR2aB5c8N8.br.css
Warning::
External link from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/4r/h1/cc,nc/m9A-h9ZDyKDFWzuPOpcChV5fCUU.css?or=w
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/xrUJJ8sN8ucbiFbMJle3n0IfRwU.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/LXu4eYVt3NhFk3Ud9ZbhZ_PYFaA.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/JXkjDPywJD9oeuWPLy7bD8Jc6mw.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/EbYhjPcYgLzlXDtyL3jnEeG9I5Y.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/GcuM2nW18B_Qg17rQ-hGOpyC7OU.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/6r/gm/jnc,nj/tlifxqsNyCzxIJnRwtQKuZToQQw.js?or=w
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/m1l120qFyPafc-sVK6cQd_52vcU.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/L-ycBm6EfgHjfdt-cxMAhgBT9is.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/74vbYYtIo-NrvnMTJk68juho3ck.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/i_38VWkfDgKOgIZwlxPRMrigfa4.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/Ybhcs1UcYzg-DFmGPSGJhlitXEM.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/KwfF0dl6YsqH8sMt7eZgN-JspcE.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/Axb5fMKAkOODfDCbAA8IbbuIEU4.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/lfBo8EU5RWtTH-mOI_lnNJ85Ja8.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/7SG4Hegtm4eOUbajVRXu5jKsYrE.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/pza6ITDkCh-3NA_F6Bfs0YtvFiM.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rb/5T/jnc,nj/iDmydssBbFY1ad3gHr--gHb_nsk.js?bu=BscEywTNBIYEtATZBA&or=w
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/PwjTjLAwycFuq4i8wD3bcxhdgN8.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/6r0416GnMn0B1a7ZAYesBCElPxc.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/_E4GPvY7TdWUsJ8zepXCcUA-zcI.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/6r/gm/jnc,nj/tlifxqsNyCzxIJnRwtQKuZToQQw.js?or=w
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/cfKt7bw67nxWZkkgOIRReDE3rQI.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/JLxV1JzWIP7PpLWcqMYVYqMzSmY.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/yt5G3936XbeOUUYvhktH-Zp37Ac.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/P2HIc9i0YbNHsa5EN1NTd-llI_k.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/i-SS1Dy3qt0ZGjyJ9-LpTEUaE9s.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rb/4P/jnc,nj/cKzGnam6-Fytml03VT3ixBZ9tTs.js?bu=A6UzqDOrMw&or=w
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/qwce00QJxdHzNxXh5H1mBc8QgBU.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rs/6r/gm/jnc,nj/tlifxqsNyCzxIJnRwtQKuZToQQw.js?or=w
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/fYa4G4wbz4PjD3tZaW3pycMuo2c.br.js
Warning::
External script from r.bing.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.bing.com/rp/Y-IofXCiouangPfEhpp6Z_AOYcM.br.js
SRI Coverage 0 / 41 of external resources have integrity hashes
| Tag | Domain | Integrity |
|---|---|---|
| <link> | r.bing.com | ✗ Missing |
| <link> | r.bing.com | ✗ Missing |
| <link> | r.bing.com | ✗ Missing |
| <link> | r.bing.com | ✗ Missing |
| <link> | r.bing.com | ✗ Missing |
| <link> | r.bing.com | ✗ Missing |
| <link> | r.bing.com | ✗ Missing |
| <link> | r.bing.com | ✗ Missing |
| <link> | r.bing.com | ✗ Missing |
| <link> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
| <script> | r.bing.com | ✗ Missing |
CSecurity HeadersAction5 of 10 headers properly configuredREVIEW
Security Headers
Action5 of 10 headers properly configured
5 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured
Got: max-age=31536000; includeSubDomains; preload
Warning::
X-Content-Type-Options header is missing
This header prevents MIME-type sniffing, which can lead to XSS attacks. Set it to 'nosniff'.
Expected: nosniff
Warning::
X-Frame-Options header is missing
This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.
Expected: DENY
Warning::
Referrer-Policy header is missing
Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.
Expected: strict-origin-when-cross-origin
Info::
Permissions-Policy is set
Got: unload=()
Info::
Content-Security-Policy is present
Got: script-src https: 'strict-dynamic' 'report-sample' 'wasm-unsafe-eval' 'nonce-3bK…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is not present
Info::
Domain is in the Chrome HSTS preload list (status: preloaded)
Got: preloaded
This header prevents MIME-type sniffing, which can lead to XSS attacks. Set it to 'nosniff'.
Expected:
nosniffWhy this matters
MIME sniffing lets browsers run uploaded files as JavaScript, turning a file upload into an XSS.
Learn more ▾ ▴
Setting X-Content-Type-Options: nosniff tells browsers to trust your declared Content-Type instead of guessing. Without it, an attacker who uploads a polyglot file can sometimes get it executed as a script. One header, no downside.
Source: OWASP / MDN
This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.
Expected:
DENYWhy this matters
Without frame protection, your site can be embedded in a hostile page and used for clickjacking.
Learn more ▾ ▴
Clickjacking overlays your site under a transparent malicious page so users click invisible buttons. Setting X-Frame-Options: DENY (or a modern frame-ancestors CSP directive) blocks the embedding entirely. There's almost never a legitimate reason to allow it.
Source: OWASP / MDN
Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.
Expected:
strict-origin-when-cross-originWhy this matters
Default browser behavior leaks full URLs (including query params and tokens) to every third-party resource — set a strict policy.
Learn more ▾ ▴
Without a Referrer-Policy header, browsers send the full referring URL with images, scripts, and fonts loaded from third-party origins. URLs containing tokens, user IDs, or session params end up in third-party logs. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter) to limit leakage.
Source: MDN / W3C
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected:
same-originWhy this matters
COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected:
require-corpWhy this matters
COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
CContent Security PolicyAction5 of 10 CSP checks passedREVIEW
Content Security Policy
Action5 of 10 CSP checks passed
5 of 10 CSP checks passed
Info::
Raw CSP policy
Got: script-src https: 'strict-dynamic' 'report-sample' 'wasm-unsafe-eval' 'nonce-3bKnDdkad53RdcD+m9I91jGVImtMQ1Vd58AWzu+VuuA='; base-uri 'self';
Warning::
default-src directive is missing
default-src provides a fallback for other directives. Set it to restrict default resource loading.
Expected: default-src 'self'
Info::
No 'unsafe-inline' in script source
Info::
No 'unsafe-eval' in script source
Info::
No wildcard in script source
Info::
object-src falls back to default-src
Info::
base-uri is properly restricted
Got: base-uri 'self'
Warning::
frame-ancestors directive is missing
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected: frame-ancestors 'self'
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests
default-src provides a fallback for other directives. Set it to restrict default resource loading.
Expected:
default-src 'self'Why this matters
Security gaps expose your site and users to attacks, eroding trust.
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected:
frame-ancestors 'self'Why this matters
Security gaps expose your site and users to attacks, eroding trust.
form-action restricts where forms can submit data, preventing form hijacking.
Expected:
form-action 'self'Why this matters
Security gaps expose your site and users to attacks, eroding trust.
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected:
upgrade-insecure-requestsWhy this matters
Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.
Learn more ▾ ▴
Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.
Source: MDN CSP
Parsed Policy
script-src https:'strict-dynamic''report-sample''wasm-unsafe-eval''nonce-3bKnDdkad53RdcD+m9I91jGVImtMQ1Vd58AWzu+VuuA='
base-uri 'self'
BWAF / Bot ProtectionNo WAF detected via response headersREVIEW
WAF / Bot Protection
No WAF detected via response headers
No WAF detected via response headers
Info::
No WAF detected
Response headers don't match any known WAF or bot-management product. Sites exposed to abuse (login, signup, payment) typically benefit from a WAF such as Cloudflare, Akamai, AWS WAF, or Imperva.
Csecurity.txtActionNo security.txt file foundREVIEW
security.txt
ActionNo security.txt file found
No security.txt file found
Info::
No security.txt file found
security.txt (RFC 9116) provides a standardized way for security researchers to report vulnerabilities. Create one at /.well-known/security.txt with at least a Contact field.
Expected: /.well-known/security.txt
security.txt
No security.txt found at /.well-known/security.txt
BTrusted Types (XSS Sink Hardening)Trusted Types not enabledREVIEW
Trusted Types (XSS Sink Hardening)
Trusted Types not enabled
Trusted Types not enabled
Info::
Trusted Types not enabled
Trusted Types (CSP3) is a Chrome 83+ defense that requires DOM-XSS sinks (innerHTML, document.write, eval, ...) to receive a typed-and-sanitized value rather than a raw string. Adding `Content-Security-Policy: require-trusted-types-for 'script'; trusted-types default` neutralizes most DOM-XSS even when a payload reaches a sink. Adoption is currently ~0.1% of pages so this is informational; a roll-out usually starts in report-only mode.
BReferrer-Policy StrictnessReferrer-Policy header not set -- browser default applies (modern: strict-origin-when-cross-origin; legacy browsers: no-referrer-when-downgrade)REVIEW
Referrer-Policy Strictness
Referrer-Policy header not set -- browser default applies (modern: strict-origin-when-cross-origin; legacy browsers: no-referrer-when-downgrade)
Referrer-Policy header not set -- browser default applies (modern: strict-origin-when-cross-origin; legacy browsers: no-referrer-when-downgrade)
Info::
Referrer-Policy header not set -- browser default applies
Without an explicit `Referrer-Policy` header, the browser falls back to its default policy. Modern browsers (Chrome 85+, Firefox 87+, Safari 15+) default to `strict-origin-when-cross-origin`, which is privacy-safe. Legacy browsers default to the leaky `no-referrer-when-downgrade`, which sends the full URL (including path + query) on cross-origin HTTPS-to-HTTPS requests. Set an explicit header to ensure consistent behavior:
```
Referrer-Policy: strict-origin-when-cross-origin
```
This matches the modern browser default and is privacy-safe without breaking referrer-based same-origin analytics.
Got: header absent
BSubdomain Inventory Exposure2 risky subdomain name(s) in certificate SANsREVIEW
Subdomain Inventory Exposure
2 risky subdomain name(s) in certificate SANs
2 risky subdomain name(s) in certificate SANs
Info::
2 risky subdomain name(s) advertised in certificate SANs
These names are publicly visible via Certificate Transparency logs (crt.sh, censys.io) -- any attacker can enumerate them in seconds. Operators are often unaware that internal/staging/admin endpoints are inadvertently advertised this way. Mitigation: use a wildcard cert that doesn't enumerate, issue per-environment certs without non-prod SANs on the prod cert, or move internal services to private DNS off the public cert.
Got: beta.search.live.com, test.maps.live.com
BEmail SecurityDMARC: reject, SPF: -allREVIEW
Email Security
DMARC: reject, SPF: -all
DMARC: reject, SPF: -all
Info::
DMARC policy is reject — strongest protection
Info::
SPF ends in -all (hard fail) — strongest setting
Info::
No DKIM detected via common selectors
DKIM signs outbound mail to prove origin. We probed common selectors (default, google, selector1, etc.) without finding a record. If you use a non-standard selector, this is a false negative.
Warning::
MTA-STS policy file present but DNS record missing
The policy file exists but no _mta-sts TXT record was found. Senders rely on the TXT record to discover and version the policy.
Info::
TLS-RPT not configured
TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.
Info::
BIMI not configured
BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.
DMARC
Policy reject — strongest protection Record v=DMARC1; p=reject; pct=100; rua=mailto:BingEmailDMARC@microsoft.com;
The policy file exists but no _mta-sts TXT record was found. Senders rely on the TXT record to discover and version the policy.
Why this matters
MTA-STS policy file is reachable but no _mta-sts TXT record exists, so senders can't discover or version-pin the policy.
Learn more ▾ ▴
Senders look up the _mta-sts TXT record first to learn the current policy ID; without it they treat the policy as absent. Publish a TXT record at _mta-sts.<domain> with v=STSv1; id=<policy-version>.
Source: RFC 8461 §3.1
DKIM signs outbound mail to prove origin. We probed common selectors (default, google, selector1, etc.) without finding a record. If you use a non-standard selector, this is a false negative.
Why this matters
No DKIM signature on outbound mail — receivers can't cryptographically prove the message came from your domain.
Learn more ▾ ▴
DKIM signs outbound mail with a private key whose public half lives in DNS at <selector>._domainkey.<domain>. Without DKIM, DMARC alone can't tell legitimate mail from spoofs, and large mailbox providers (Gmail, Yahoo) increasingly require DKIM for inbox placement. Note: this check probes a curated list of common selectors; non-standard selectors produce a false negative.
Source: RFC 6376 / Google + Yahoo 2024 sender requirements
TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.
Why this matters
Without TLS-RPT, you have no visibility into inbound TLS failures — MTA-STS misconfigurations stay hidden until users complain.
Learn more ▾ ▴
TLS-RPT (RFC 8460) is the feedback channel for MTA-STS: senders post aggregate reports of TLS-handshake failures to the URI in your _smtp._tls TXT record. Without it, an MTA-STS misconfiguration silently rejects mail and you find out only when someone notices missing email.
Source: RFC 8460
BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.
Why this matters
Security gaps expose your site and users to attacks, eroding trust.
CPermissions-PolicyAction1 directives, 5 missingREVIEW
Permissions-Policy
Action1 directives, 5 missing
1 directives, 5 missing
Info::
unload=() — blocked for all origins
Info::
camera not restricted
Consider adding camera=() to block camera access from embedded content.
Info::
microphone not restricted
Consider adding microphone=() to block microphone access from embedded content.
Info::
geolocation not restricted
Consider adding geolocation=() to block geolocation access from embedded content.
Info::
payment not restricted
Consider adding payment=() to block payment access from embedded content.
Info::
usb not restricted
Consider adding usb=() to block usb access from embedded content.
Raw Header
unload=()
Feature Permissions
Blocked Self Only Unrestricted Not Set
unload Blocked
camera Not Set
microphone Not Set
geolocation Not Set
payment Not Set
usb Not Set
BCORS ConfigurationNo CORS headersREVIEW
CORS Configuration
No CORS headers
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration ✓ Secure
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
A+TLS & CertificatesTLS 1.3, 8 checks passedPASS
TLS & Certificates
TLS 1.3, 8 checks passed
TLS 1.3, 8 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_AES_256_GCM_SHA384
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
OCSP stapling enabled
Info::
Certificate is valid (expires in 157 days)
Got: 2026-10-30T03:13:55Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA384-RSA
Info::
Certificate covers 67 domain(s)
Got: *.platform.bing.com, *.bing.com, bing.com, ieonline.microsoft.com, *.windowssearch.com, cn.ieonline.microsoft.com, *.origin.bing.com, *.mm.bing.net, *.api.bing.com, *.cn.bing.net, *.cn.bing.com, ssl-api.bing.com, ssl-api.bing.net, *.api.bing.net, *.bingapis.com, bingsandbox.com, feedback.microsoft.com, insertmedia.bing.office.net, r.bat.bing.com, *.r.bat.bing.com, *.dict.bing.com, *.ssl.bing.com, *.appex.bing.com, *.platform.cn.bing.com, wp.m.bing.com, *.m.bing.com, global.bing.com, windowssearch.com, search.msn.com, *.bingsandbox.com, *.api.tiles.ditu.live.com, *.t0.tiles.ditu.live.com, *.t1.tiles.ditu.live.com, *.t2.tiles.ditu.live.com, *.t3.tiles.ditu.live.com, 3d.live.com, api.search.live.com, beta.search.live.com, cnweb.search.live.com, ditu.live.com, farecast.live.com, image.live.com, images.live.com, local.live.com.au, localsearch.live.com, ls4d.search.live.com, mail.live.com, mapindia.live.com, local.live.com, maps.live.com, maps.live.com.au, mindia.live.com, news.live.com, origin.cnweb.search.live.com, preview.local.live.com, search.live.com, test.maps.live.com, video.live.com, videos.live.com, virtualearth.live.com, wap.live.com, webmaster.live.com, www.local.live.com.au, www.maps.live.com.au, webmasters.live.com, ecn.dev.virtualearth.net, www.bing.com
Info::
Certificate is issued by a trusted CA
Got: CN=Microsoft TLS G2 RSA CA OCSP 02,O=Microsoft Corporation,C=US
HTTP/2 provides multiplexing and header compression for better performance.
Why this matters
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Connection
Protocol
TLS 1.3
Cipher Suite
TLS_AES_256_GCM_SHA384
HTTP Version
HTTP/1.1
Certificate Chain
Leaf Certificate
Subject CN=www.bing.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=USIssuer CN=Microsoft TLS G2 RSA CA OCSP 02,O=Microsoft Corporation,C=USValid 2026-05-03T03:13:55Z → 2026-10-30T03:13:55ZExpires in 157 days SANs *.platform.bing.com, *.bing.com, bing.com, ieonline.microsoft.com, *.windowssearch.com, cn.ieonline.microsoft.com, *.origin.bing.com, *.mm.bing.net, *.api.bing.com, *.cn.bing.net, *.cn.bing.com, ssl-api.bing.com, ssl-api.bing.net, *.api.bing.net, *.bingapis.com, bingsandbox.com, feedback.microsoft.com, insertmedia.bing.office.net, r.bat.bing.com, *.r.bat.bing.com, *.dict.bing.com, *.ssl.bing.com, *.appex.bing.com, *.platform.cn.bing.com, wp.m.bing.com, *.m.bing.com, global.bing.com, windowssearch.com, search.msn.com, *.bingsandbox.com, *.api.tiles.ditu.live.com, *.t0.tiles.ditu.live.com, *.t1.tiles.ditu.live.com, *.t2.tiles.ditu.live.com, *.t3.tiles.ditu.live.com, 3d.live.com, api.search.live.com, beta.search.live.com, cnweb.search.live.com, ditu.live.com, farecast.live.com, image.live.com, images.live.com, local.live.com.au, localsearch.live.com, ls4d.search.live.com, mail.live.com, mapindia.live.com, local.live.com, maps.live.com, maps.live.com.au, mindia.live.com, news.live.com, origin.cnweb.search.live.com, preview.local.live.com, search.live.com, test.maps.live.com, video.live.com, videos.live.com, virtualearth.live.com, wap.live.com, webmaster.live.com, www.local.live.com.au, www.maps.live.com.au, webmasters.live.com, ecn.dev.virtualearth.net, www.bing.comSignature SHA384-RSASerial 410020c2af40bcac285cdd2a9a00000020c2af
Intermediate (CA Certificate)
Subject CN=Microsoft TLS G2 RSA CA OCSP 02,O=Microsoft Corporation,C=USIssuer CN=Microsoft TLS RSA Root G2,O=Microsoft Corporation,C=USValid 2025-08-01T20:03:00Z → 2029-06-03T20:03:00ZExpires in 1105 days Signature SHA384-RSASerial 330000000c4964a16f44203b2200000000000c
Intermediate (CA Certificate)
Subject CN=Microsoft TLS RSA Root G2,O=Microsoft Corporation,C=USIssuer CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=USValid 2025-05-21T00:00:00Z → 2029-06-19T23:59:59ZExpires in 1121 days Signature SHA384-RSASerial b0c6b2c466917b04773c647d4afc0c8
A+Cross-Origin Tab SafetyNo new-tab links found -- no tabnabbing surfacePASS
Cross-Origin Tab Safety
No new-tab links found -- no tabnabbing surface
No new-tab links found -- no tabnabbing surface
Info::
No new-tab links present
A+CSP Inline-Style ReadinessNo inline style attributes -- strict CSP is feasiblePASS
CSP Inline-Style Readiness
No inline style attributes -- strict CSP is feasible
No inline style attributes -- strict CSP is feasible
Info::
No inline style attributes detected
A+Bot Challenge DetectionScan reached real page content (no bot-protection interstitial)PASS
Bot Challenge Detection
Scan reached real page content (no bot-protection interstitial)
Scan reached real page content (no bot-protection interstitial)
Info::
No bot-protection interstitial detected -- the rest of the report reflects the real page
A+Soft-404 DetectionHTTP status is non-2xx -- soft-404 check is N/APASS
Soft-404 Detection
HTTP status is non-2xx -- soft-404 check is N/A
HTTP status is non-2xx -- soft-404 check is N/A
Info::
HTTP status is non-2xx -- soft-404 check is N/A
A+Geo-Restriction DetectionNo geo-restriction signals detected -- scan reached the page from an allowed regionPASS
Geo-Restriction Detection
No geo-restriction signals detected -- scan reached the page from an allowed region
No geo-restriction signals detected -- scan reached the page from an allowed region
Info::
No geo-restriction detected
A+Maintenance Mode DetectionNo maintenance-mode signals detected -- scan reached a normal pagePASS
Maintenance Mode Detection
No maintenance-mode signals detected -- scan reached a normal page
No maintenance-mode signals detected -- scan reached a normal page
Info::
No maintenance-mode signals detected
A+CORS DepthNo CORS response headers -- the resource is same-origin-only by browser defaultPASS
CORS Depth
No CORS response headers -- the resource is same-origin-only by browser default
No CORS response headers -- the resource is same-origin-only by browser default
Info::
No CORS response headers -- the resource is same-origin-only by browser default
A+Source Map ExposureNo source maps accessible (probed 1 candidate URL(s))PASS
Source Map Exposure
No source maps accessible (probed 1 candidate URL(s))
No source maps accessible (probed 1 candidate URL(s))
Info::
No source maps accessible across 1 probed candidate(s)
A+HTML Version DisclosureNo software-version disclosures in HTMLPASS
HTML Version Disclosure
No software-version disclosures in HTML
No software-version disclosures in HTML
Info::
No software-version disclosures in HTML
A+Open Redirect SurfaceNo redirect-shaped query parameters in DOM linksPASS
Open Redirect Surface
No redirect-shaped query parameters in DOM links
No redirect-shaped query parameters in DOM links
Info::
No redirect-shaped query parameters in DOM links
A+Auth SecurityPage is not a login form -- auth-security checks are N/APASS
Auth Security
Page is not a login form -- auth-security checks are N/A
Page is not a login form -- auth-security checks are N/A
Info::
Page does not appear to be a login form
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
JS Library Vulnerabilities
No known vulnerabilities
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
Information Leakage
No exposures
No exposures
Info::
No security.txt found
Consider adding a security.txt at /.well-known/security.txt.
Info::
No sensitive files exposed
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✓ Not found | Security Policy | — |
| /package.json | ✓ Not found | dependency-manifest | — |
| /composer.json | ✓ Not found | dependency-manifest | — |
| /Gemfile | ✓ Not found | dependency-manifest | — |
| /Gemfile.lock | ✓ Not found | dependency-manifest | — |
| /requirements.txt | ✓ Not found | dependency-manifest | — |
| /pom.xml | ✓ Not found | dependency-manifest | — |
| /.gitlab-ci.yml | ✓ Not found | ci-config | — |
| /.travis.yml | ✓ Not found | ci-config | — |
A+API SurfaceNo API specs or GraphQL introspection found (probed 11 candidate path(s))PASS
API Surface
No API specs or GraphQL introspection found (probed 11 candidate path(s))
No API specs or GraphQL introspection found (probed 11 candidate path(s))
Info::
No API specs or GraphQL introspection found (probed 11 path(s))
A+Transport SecurityHTTP/3, HSTS, and TLS version analysisPASS
Transport Security
HTTP/3, HSTS, and TLS version analysis
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) supported
The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.
Info::
HSTS enabled (includeSubDomains, preload)
Info::
HSTS preload enabled
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.