Security - https://doubleverify.com BeaverCheck Audit

F

Subresource Integrity

Action

0 of 14 external resources have SRI

FIX

0 of 14 external resources have SRI

External script from js.hs-analytics.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://js.hs-analytics.net/analytics/1776359700000/46126064.js

External script from js.hs-banner.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://js.hs-banner.com/v2/46126064/banner.js

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=AW-709822676&cx=c&gtm=4e64f0

External script from munchkin.marketo.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: //munchkin.marketo.net/165/munchkin.js

External script from snap.licdn.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://snap.licdn.com/li.lms-analytics/insight.min.js

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=G-N856K2BR7S

External script from munchkin.marketo.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: //munchkin.marketo.net/munchkin.js

External script from www.googletagmanager.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://www.googletagmanager.com/gtag/js?id=AW-709822676

External script from acsbapp.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://acsbapp.com/apps/app/dist/js/app.js

External script from static.userback.io lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://static.userback.io/widget/v1.js

External script from googleads.g.doubleclick.net lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://googleads.g.doubleclick.net/pagead/viewthroughconversion/709822676/?random=1776359899110&cv=11&fst=1776359899110&bg=ffffff&guid=ON&async=1&en=gtag.config&gtm=45be64f0v898834724za200zb9103004309zd9103004309xec&gcd=13r3r3r3r5l1&dma=0&tag_exp=0~115938465~115938469~117266400~118131809&u_w=800&u_h=600&url=https%3A%2F%2Fdoubleverify.com%2F&rcb=3&frm=0&tiba=DoubleVerify%3A%20Driving%20Superior%20Outcomes%20For%20Global%20Brands&did=dZTQ1Zm&gdid=dZTQ1Zm&hn=www.googleadservices.com&npa=0&pscdl=noapi&auid=2004305067.1776359899&uaa=x86&uab=64&uafvl=Not-A.Brand%3B24.0.0.0%7CChromium%3B146.0.7680.164&uamb=0&uam=&uap=Linux&uapv=&uaw=0&data=event%3Dgtag.config&rfmt=3&fmt=4

External script from js.hubspot.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://js.hubspot.com/web-interactives-embed.js

External script from consent.trustarc.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: https://consent.trustarc.com/asset/notice.js/v/v1.7-1729

External script from consent.trustarc.com lacks integrity attribute

Without SRI, if this CDN is compromised, attackers could inject malicious code.

Got: //consent.trustarc.com/notice?domain=doubleverify.com&c=teconsent&js=nj&noticeType=bb&text=true&gtm=1&pcookie

SRI Coverage 0 / 14 of external resources have integrity hashes

Tag	Domain	Integrity
<script>	js.hs-analytics.net	✗ Missing
<script>	js.hs-banner.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	munchkin.marketo.net	✗ Missing
<script>	snap.licdn.com	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	munchkin.marketo.net	✗ Missing
<script>	www.googletagmanager.com	✗ Missing
<script>	acsbapp.com	✗ Missing
<script>	static.userback.io	✗ Missing
<script>	googleads.g.doubleclick.net	✗ Missing
<script>	js.hubspot.com	✗ Missing
<script>	consent.trustarc.com	✗ Missing
<script>	consent.trustarc.com	✗ Missing

D

Permissions-Policy

Action

No header set

FIX

No header set

No Permissions-Policy header

Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()

D

security.txt

Action

No /.well-known/security.txt published

FIX

security.txt

No security.txt found at /.well-known/security.txt

B

Security Headers

7 of 10 headers properly configured

REVIEW

7 of 10 headers properly configured

Strict-Transport-Security is properly configured

Got: max-age=31536000; includeSubDomains; preload

X-Content-Type-Options is properly configured

Got: nosniff

X-Frame-Options is properly configured

Got: DENY

Referrer-Policy is properly configured

Got: no-referrer-when-downgrade

Permissions-Policy header is missing

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()

Content-Security-Policy is present

Got: upgrade-insecure-requests

Cross-Origin-Opener-Policy header is missing

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Cross-Origin-Embedder-Policy header is missing

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

X-Powered-By header is not present

Server header is present without version info

Got: cloudflare

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()

Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more ▾

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin

Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more ▾

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp

Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more ▾

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

C

Content Security Policy

Action

2 of 11 CSP checks passed

REVIEW

2 of 11 CSP checks passed

Raw CSP policy

Got: upgrade-insecure-requests

default-src directive is missing

default-src provides a fallback for other directives. Set it to restrict default resource loading.

Expected: default-src 'self'

No script-src or default-src to check for 'unsafe-inline'

No script-src or default-src to check for 'unsafe-eval'

No script-src or default-src to check for wildcard

object-src falls back to default-src

base-uri directive is missing

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'

frame-ancestors directive is missing

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

form-action directive is missing

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'

upgrade-insecure-requests is enabled

Content-Security-Policy-Report-Only is also set

A report-only policy is active alongside the enforcing policy for monitoring.

Got: default-src 'self'; script-src 'self' hubapi.com *.hubapi.com hubspot.com *.hubspot.com app.hubspot.com hubspotuserconte…

default-src provides a fallback for other directives. Set it to restrict default resource loading.

Expected: default-src 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'

Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more ▾

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

A report-only policy is active alongside the enforcing policy for monitoring.

Why this matters

Running enforcing + Report-Only in parallel lets you test stricter directives safely before promoting them.

Source: MDN CSP

Parsed Policy

upgrade-insecure-requests

B

CORS Configuration

No CORS headers

REVIEW

No CORS headers

No CORS headers present — secure default

CORS Configuration ✓ Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control

A+

TLS & Certificates

TLS 1.3, 7 checks passed

PASS

TLS 1.3, 7 checks passed

TLS 1.3 is used

Got: TLS 1.3

Strong cipher suite is used

Got: TLS_CHACHA20_POLY1305_SHA256

HTTP/2 is not negotiated

HTTP/2 provides multiplexing and header compression for better performance.

Got: http/1.1

Certificate is valid (expires in 83 days)

Got: 2026-07-09T12:30:07Z

Certificate chain has 2 certificates

Certificate uses modern signature algorithm

Got: ECDSA-SHA384

Certificate covers 2 domain(s)

Got: 96a436b6.sni.cloudflaressl.com, doubleverify.com

Certificate is issued by a trusted CA

Got: CN=E7,O=Let's Encrypt,C=US

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more ▾

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection

Protocol

TLS 1.3

Cipher Suite

TLS_CHACHA20_POLY1305_SHA256

HTTP Version

HTTP/1.1

Certificate Chain

Leaf Certificate

Subject CN=96a436b6.sni.cloudflaressl.comIssuer CN=E7,O=Let's Encrypt,C=USValid 2026-04-10T12:30:08Z → 2026-07-09T12:30:07ZExpires in 83 days SANs 96a436b6.sni.cloudflaressl.com, doubleverify.comSignature ECDSA-SHA384Serial 5e9122314e72b0e03d196a4223ee4d73d8c

Intermediate (CA Certificate)

Subject CN=E7,O=Let's Encrypt,C=USIssuer CN=ISRG Root X1,O=Internet Security Research Group,C=USValid 2024-03-13T00:00:00Z → 2027-03-12T23:59:59ZExpires in 330 days Signature SHA256-RSASerial aa75f1e62b8f0a220966d38bbfd4baa1

A+

Cookie Security

2 cookies analyzed, 6 checks passed

PASS

2 cookies analyzed, 6 checks passed

Cookie '__cf_bm' has the Secure flag

Cookie '__cf_bm' has the HttpOnly flag

Cookie '__cf_bm' has SameSite=None

Cookie '_cfuvid' has the Secure flag

Cookie '_cfuvid' has the HttpOnly flag

Cookie '_cfuvid' has SameSite=None

2 cookies analyzed

Name	Secure	HttpOnly	SameSite	Size	Issues
__cf_bm	✓	✓	None	177 B	—
_cfuvid	✓	✓	None	82 B	—

A+

JS Library Vulnerabilities

No known vulnerabilities

PASS

No known vulnerabilities

No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+

Information Leakage

No exposures

PASS

No exposures

No security.txt found

Consider adding a security.txt at /.well-known/security.txt.

No sensitive files exposed

No sensitive files exposed — all paths returned 404.

Path	Status	Category	Risk
/.git/HEAD	✓ Not found	Version Control	—
/.git/config	✓ Not found	Version Control	—
/.svn/entries	✓ Not found	Version Control	—
/.env	✓ Not found	Configuration	—
/.env.local	✓ Not found	Configuration	—
/.env.production	✓ Not found	Configuration	—
/wp-config.php	✓ Not found	Configuration	—
/.htaccess	✓ Not found	Configuration	—
/phpinfo.php	✓ Not found	Debug	—
/server-status	✓ Not found	Debug	—
/server-info	✓ Not found	Debug	—
/.well-known/security.txt	✓ Not found	Security Policy	—

A

Email Security

DMARC: quarantine

PASS

DMARC: quarantine

DMARC policy is quarantine — good protection

DMARC

Policy quarantine — good protection Record v=DMARC1; p=quarantine; fo=1; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com;

A+

Transport Security

HTTP/3, HSTS, and TLS version analysis

PASS

HTTP/3, HSTS, and TLS version analysis

HTTP/3 (QUIC) supported

The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.

HSTS enabled (includeSubDomains, preload)

HSTS preload enabled

TLS 1.3 in use (fastest handshake, 1-RTT)