Skip to content
https://conengagroup.com

Security

· 33 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
87
GRADE
B
FIX
4
REVIEW
7
PASS
22
INFO
0
Checks
33
22 PASS 7 REVIEW 4 FIX
F
Content Security Policy
Action
No enforcing CSP policy found
FIX
No enforcing CSP policy found
Critical::
No Content-Security-Policy header found
CSP is the most effective defense against XSS attacks. Add a Content-Security-Policy header to restrict resource loading.
Expected: default-src 'self'
Info::
Content-Security-Policy-Report-Only is set but does not enforce
Report-Only logs violations but does not block them. Deploy an enforcing policy when ready.
Got: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://matomo.conengagroup.com https://www.youtube.…

CSP is the most effective defense against XSS attacks. Add a Content-Security-Policy header to restrict resource loading.

Expected: default-src 'self'
Why this matters

Without a CSP, a single XSS bug can exfiltrate everything users type — credentials, payment data, session tokens.

Learn more

Content-Security-Policy is the browser-enforced firewall against XSS. With a strict CSP, a script injection that would otherwise steal session cookies is silently blocked. Without it, your only defense is hoping every input on every form is escaped correctly forever. Start in Report-Only mode, fix violations, then graduate to enforcing.

Source: OWASP / MDN

Report-Only logs violations but does not block them. Deploy an enforcing policy when ready.

Why this matters

Report-Only CSP catches violations but doesn't block them — protection is only realized when you graduate to enforcing.

Learn more

Report-Only mode is the right starting point: deploy, monitor reports for a week, fix violations, then graduate to enforcing CSP. Sites that get stuck in Report-Only forever have all the operational cost of a CSP with none of the security benefit. Once your reports are clean, swap the header name to `Content-Security-Policy`.

Source: MDN CSP

D
CSP Inline-Style Readiness
Action
192 inline style attribute(s) detected
FIX
192 inline style attribute(s) detected
Warning::
192 inline style attribute(s) detected
Each `style=""` attribute forces `style-src 'unsafe-inline'` in any Content-Security-Policy, which negates most of CSP's XSS-mitigation value. 192 inline style(s) is high. Affected element types include: div, span, h2, a, i. Move styles to a stylesheet; use CSS custom properties for runtime-dynamic values; or adopt a nonce/hash CSP policy. Most teams take the stylesheet path because it's also a maintainability win.
D
Permissions-Policy Granularity
Action
30% high-risk feature coverage (3/10)
FIX
30% high-risk feature coverage (3/10)
Warning::
Permissions-Policy covers 3/10 high-risk features (30%)
The Permissions-Policy header explicitly declares policies for 3/10 high-risk features. Covered: camera, microphone, geolocation Not declared (default-allow): payment, usb, serial, midi, accelerometer, gyroscope, magnetometer The non-declared features fall back to their spec-default policy (usually `self`), which means an XSS-injected or compromised iframe could request them. For features the page genuinely doesn't use, declare `feature=()` to fully close them.
Got: 30% (3/10)
D
HTML Version Disclosure
Action
2 software version(s) disclosed in HTML
FIX
2 software version(s) disclosed in HTML
Warning::
2 software version(s) disclosed in HTML: Site Kit by Google 1.182.0, WPML ver:4.9.5 stt:1,3;
Each disclosed version enables direct CVE lookup -- an attacker who knows you run WordPress 6.4.2 (or whatever specific version) can search the CVE database for known exploits and target accordingly. Remove via your CMS config: WordPress (`remove_action('wp_head', 'wp_generator')`); Drupal (System / Reports / Status report -> Hide generator); Joomla (Global Configuration -> Hide generator); Hugo/Jekyll (delete or override the {{ .Site.Generator }} template hook). For HTML comments, audit your template files directly.
C
Security Headers
Action
6 of 10 headers properly configured
REVIEW
6 of 10 headers properly configured
Warning::
HSTS is missing includeSubDomains
Without includeSubDomains, subdomains can still be accessed over HTTP.
Got: max-age=31536000 Expected: max-age=31536000; includeSubDomains
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Info::
Referrer-Policy is properly configured
Got: strict-origin-when-cross-origin
Info::
Permissions-Policy is set
Got: geolocation=(), microphone=(), camera=()
Critical::
Content-Security-Policy header is missing
CSP is the most important header for preventing XSS attacks. See the CSP section for detailed analysis.
Expected: default-src 'self'
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: nginx
Info::
Domain is not in the Chrome HSTS preload list (status: unknown)
Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).
Got: unknown

CSP is the most important header for preventing XSS attacks. See the CSP section for detailed analysis.

Expected: default-src 'self'
Why this matters

Without a CSP, a single XSS bug can exfiltrate everything your users type — including credentials.

Learn more

Content-Security-Policy is the browser-enforced firewall against XSS. With a strict CSP, a script injection that would otherwise steal session cookies or rewrite the page is silently blocked. Without it, your only defense is hoping every input on every form is escaped correctly forever.

Source: OWASP / MDN

Without includeSubDomains, subdomains can still be accessed over HTTP.

Expected: max-age=31536000; includeSubDomains
Why this matters

Without includeSubDomains, a forgotten dev subdomain over HTTP can set malicious cookies that ride to the apex.

Learn more

HSTS without includeSubDomains protects only the exact domain. Cookies set on a non-HSTS subdomain can ride to the apex via cookie-scope attacks. The fix is one directive append. Verify all subdomains support HTTPS first — adding includeSubDomains to a domain with HTTP-only subdomains breaks them.

Source: RFC 6797

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).

Why this matters

Not in the Chrome preload list — first-time visitors over plain HTTP can be downgraded by a network attacker before HSTS kicks in.

Learn more

The HSTS header only protects users who have already visited the site (TOFU window). Adding your domain to the Chrome preload list closes that gap so HSTS is enforced from the very first connection. Requires a preload-ready header (max-age=31536000+, includeSubDomains, preload) then submission at hstspreload.org. Inclusion ships in the next Chrome release after acceptance.

Source: hstspreload.org

B
WAF / Bot Protection
No WAF detected via response headers
REVIEW
No WAF detected via response headers
Info::
No WAF detected
Response headers don't match any known WAF or bot-management product. Sites exposed to abuse (login, signup, payment) typically benefit from a WAF such as Cloudflare, Akamai, AWS WAF, or Imperva.
C
security.txt
Action
No security.txt file found
REVIEW
No security.txt file found
Info::
No security.txt file found
security.txt (RFC 9116) provides a standardized way for security researchers to report vulnerabilities. Create one at /.well-known/security.txt with at least a Contact field.
Expected: /.well-known/security.txt

security.txt

No security.txt found at /.well-known/security.txt

B
Trusted Types (XSS Sink Hardening)
Trusted Types not enabled
REVIEW
Trusted Types not enabled
Info::
Trusted Types not enabled
Trusted Types (CSP3) is a Chrome 83+ defense that requires DOM-XSS sinks (innerHTML, document.write, eval, ...) to receive a typed-and-sanitized value rather than a raw string. Adding `Content-Security-Policy: require-trusted-types-for 'script'; trusted-types default` neutralizes most DOM-XSS even when a payload reaches a sink. Adoption is currently ~0.1% of pages so this is informational; a roll-out usually starts in report-only mode.
B
Permissions-Policy
3 directives, 2 missing
REVIEW
3 directives, 2 missing
Info::
geolocation=() — blocked for all origins
Info::
microphone=() — blocked for all origins
Info::
camera=() — blocked for all origins
Info::
payment not restricted
Consider adding payment=() to block payment access from embedded content.
Info::
usb not restricted
Consider adding usb=() to block usb access from embedded content.

Raw Header

geolocation=() microphone=() camera=()

Feature Permissions

Blocked Self Only Unrestricted Not Set
geolocation Blocked
microphone Blocked
camera Blocked
payment Not Set
usb Not Set
B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
C
Known vulnerability matches
Action
9 known vulnerability match(es) against detected tech
REVIEW

Known Vulnerabilities

LibraryVersionSeveritySummaryFixed In
Bootstrap3.3.5mediumXSS is possible in the data-target attribute.3.4.0
Bootstrap3.3.5mediumXSS in collapse data-parent attribute3.4.0
Bootstrap3.3.5mediumXSS in data-target property of scrollspy3.4.0
Bootstrap3.3.5mediumXSS in data-container property of tooltip3.4.0
Bootstrap3.3.5mediumIn Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.3.4.0
Bootstrap3.3.5mediumIn Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.3.4.0
Bootstrap3.3.5mediumXSS in data-template, data-content and data-title properties of tooltip/popover3.4.1
Bootstrap3.3.5mediumBootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes3.4.1
Bootstrap3.3.5lowBootstrap before 4.0.0 is end-of-life and no longer maintained.3.999.999
A+
TLS & Certificates
TLS 1.3, 7 checks passed
PASS
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_AES_256_GCM_SHA384
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
OCSP stapling not enabled
Without stapling, the browser performs a separate OCSP roundtrip on first connection -- adding latency and leaking the visited host to the CA. Enable OCSP stapling on your TLS server.
Info::
Certificate is valid (expires in 74 days)
Got: 2026-09-23T11:56:36Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 4 domain(s)
Got: conenga.com, conengagroup.com, www.conenga.com, www.conengagroup.com
Info::
Certificate is issued by a trusted CA
Got: CN=YR1,O=Let's Encrypt,C=US

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Without stapling, the browser performs a separate OCSP roundtrip on first connection -- adding latency and leaking the visited host to the CA. Enable OCSP stapling on your TLS server.

Why this matters

Without OCSP stapling, every first-time visitor pays an extra OCSP roundtrip — and the CA learns who's visiting your site.

Learn more

OCSP stapling has the server fetch its own revocation status from the CA and attach the signed response to the TLS handshake. Without it, browsers contact the CA directly: extra latency for the user and a privacy leak (the CA sees who connected). Enable ssl_stapling on (nginx) / SSLUseStapling On (Apache) / OCSPStapling = on (Caddy auto-enables).

Source: RFC 6961 / Mozilla Server-Side TLS guide

Connection
Protocol
TLS 1.3
Cipher Suite
TLS_AES_256_GCM_SHA384
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=conengagroup.comIssuer CN=YR1,O=Let's Encrypt,C=USValid 2026-06-25T11:56:37Z → 2026-09-23T11:56:36ZExpires in 74 days SANs conenga.com, conengagroup.com, www.conenga.com, www.conengagroup.comSignature SHA256-RSASerial 5f546bfbdde88b5a4e52e1735211213dc98
Intermediate (CA Certificate)
Subject CN=YR1,O=Let's Encrypt,C=USIssuer CN=Root YR,O=ISRG,C=USValid 2025-09-03T00:00:00Z → 2028-09-02T23:59:59ZExpires in 785 days Signature SHA256-RSASerial a20253f15f2691c05dc1ce13b9bcca4e
Intermediate (CA Certificate)
Subject CN=Root YR,O=ISRG,C=USIssuer CN=ISRG Root X1,O=Internet Security Research Group,C=USValid 2026-05-13T00:00:00Z → 2032-09-02T23:59:59ZExpires in 2246 days Signature SHA256-RSASerial f24b6d17f9d9ad7cb1c9fea78782699f
A+
Cookie Security
No cookies set — no cookie security risks
PASS
No cookies set — no cookie security risks
Info::
No cookies set — no cookie security risks

No cookies detected — no cookie security risks to report.

A+
Cross-Origin Tab Safety
All 26 new-tab link(s) carry rel=noopener
PASS
All 26 new-tab link(s) carry rel=noopener
Info::
All 26 new-tab link(s) carry rel=noopener
A+
Bot Challenge Detection
Scan reached real page content (no bot-protection interstitial)
PASS
Scan reached real page content (no bot-protection interstitial)
Info::
No bot-protection interstitial detected -- the rest of the report reflects the real page
A+
Soft-404 Detection
No soft-404 patterns detected in page title or headings
PASS
No soft-404 patterns detected in page title or headings
Info::
No soft-404 patterns detected in page title or headings
A+
Empty Page Detection
Page has substantive body text and no placeholder / template-leak signals
PASS
Page has substantive body text and no placeholder / template-leak signals
Info::
Page has substantive body text and no placeholder / template-leak signals
A+
Geo-Restriction Detection
No geo-restriction signals detected -- scan reached the page from an allowed region
PASS
No geo-restriction signals detected -- scan reached the page from an allowed region
Info::
No geo-restriction detected
A+
Maintenance Mode Detection
No maintenance-mode signals detected -- scan reached a normal page
PASS
No maintenance-mode signals detected -- scan reached a normal page
Info::
No maintenance-mode signals detected
A+
Subresource Integrity Adoption
Page has no third-party scripts or stylesheets -- SRI not applicable
PASS
Page has no third-party scripts or stylesheets -- SRI not applicable
Info::
No third-party scripts or stylesheets to protect with SRI
A+
CORS Depth
No CORS response headers -- the resource is same-origin-only by browser default
PASS
No CORS response headers -- the resource is same-origin-only by browser default
Info::
No CORS response headers -- the resource is same-origin-only by browser default
A+
Referrer-Policy Strictness
Referrer-Policy is `strict-origin-when-cross-origin` (modern default -- full URL same-origin, origin-only cross-origin)
PASS
Referrer-Policy is `strict-origin-when-cross-origin` (modern default -- full URL same-origin, origin-only cross-origin)
Info::
Referrer-Policy: `strict-origin-when-cross-origin` -- modern default -- full URL same-origin, origin-only cross-origin
The modern browser default (Chrome 85+, Firefox 87+, Safari 15+). Full URL Referer on same-origin; origin only on cross-origin; no Referer on HTTPS-to-HTTP downgrade. Privacy-safe and breaks no analytics. The recommended explicit value.
Got: strict-origin-when-cross-origin
A+
Source Map Exposure
No source maps accessible (probed 3 candidate URL(s))
PASS
No source maps accessible (probed 3 candidate URL(s))
Info::
No source maps accessible across 3 probed candidate(s)
A+
Open Redirect Surface
No redirect-shaped query parameters in DOM links
PASS
No redirect-shaped query parameters in DOM links
Info::
No redirect-shaped query parameters in DOM links
A+
Auth Security
Page is not a login form -- auth-security checks are N/A
PASS
Page is not a login form -- auth-security checks are N/A
Info::
Page does not appear to be a login form
A+
Subdomain Inventory Exposure
No risky subdomain names in certificate SANs
PASS
No risky subdomain names in certificate SANs
Info::
No risky subdomain names in certificate SANs
A+
Subresource Integrity
No external resources
PASS
No external resources
Info::
No external resources to protect
SRI Coverage No external resources — SRI not applicable
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
No security.txt found
Consider adding a security.txt at /.well-known/security.txt.
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt Not foundSecurity Policy
/package.json Not founddependency-manifest
/composer.json Not founddependency-manifest
/Gemfile Not founddependency-manifest
/Gemfile.lock Not founddependency-manifest
/requirements.txt Not founddependency-manifest
/pom.xml Not founddependency-manifest
/.gitlab-ci.yml Not foundci-config
/.travis.yml Not foundci-config
A
Email Security
DMARC: reject, SPF: -all, DKIM
PASS
DMARC: reject, SPF: -all, DKIM
Info::
DMARC policy is reject — strongest protection
Info::
DMARC enforced on only 25% of failing mail (pct=25)
Receivers apply your policy to only this percentage of authentication failures. The rest are delivered as if no policy existed. Move to pct=100 once you've verified DMARC reports look clean.
Info::
SPF ends in -all (hard fail) — strongest setting
Info::
DKIM configured (selectors: selector2, selector1, k2, s1, s2)
Info::
MTA-STS not configured
MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.
Info::
TLS-RPT not configured
TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.
Info::
BIMI not configured
BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.
DMARC
Policy reject — strongest protection Record v=DMARC1; p=reject;pct=25;rua=mailto:postmaster@conengagroup.com

Receivers apply your policy to only this percentage of authentication failures. The rest are delivered as if no policy existed. Move to pct=100 once you've verified DMARC reports look clean.

Why this matters

Informational: a labeled value pair from the audit.

MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.

Why this matters

Without MTA-STS, inbound mail can be silently downgraded to plain SMTP by a network attacker.

Learn more

MTA-STS (RFC 8461) tells sending mail servers to use TLS and to refuse delivery if TLS fails. Requires both a TXT record at _mta-sts.<domain> AND a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Without it, an active attacker on the network path can strip STARTTLS and read the email in plaintext.

Source: RFC 8461

TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.

Why this matters

Without TLS-RPT, you have no visibility into inbound TLS failures — MTA-STS misconfigurations stay hidden until users complain.

Learn more

TLS-RPT (RFC 8460) is the feedback channel for MTA-STS: senders post aggregate reports of TLS-handshake failures to the URI in your _smtp._tls TXT record. Without it, an MTA-STS misconfiguration silently rejects mail and you find out only when someone notices missing email.

Source: RFC 8460

BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

A+
API Surface
No API specs or GraphQL introspection found (probed 11 candidate path(s))
PASS
No API specs or GraphQL introspection found (probed 11 candidate path(s))
Info::
No API specs or GraphQL introspection found (probed 11 path(s))
A
Transport Security
HTTP/3, HSTS, and TLS version analysis
PASS
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (base policy)
Info::
HSTS missing includeSubDomains
Without includeSubDomains, HSTS only protects the exact domain.
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback