Skip to content
https://mail.ru

Security

· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
69
GRADE
D
FIX
5
REVIEW
3
PASS
4
INFO
0
Checks
12
4 PASS 3 REVIEW 5 FIX
D
Security Headers
Action
4 of 10 headers properly configured
FIX
4 of 10 headers properly configured
Critical::
HSTS header is missing
Strict-Transport-Security forces browsers to use HTTPS, preventing downgrade attacks. Add the header with a max-age of at least 1 year.
Expected: max-age=31536000; includeSubDomains
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Warning::
Referrer-Policy header is missing
Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.
Expected: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: base-uri 'self'; connect-src https://*.adlooxtracking.com https://*.adlooxtracki…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Warning::
Server header reveals version information
The Server header discloses the software version, aiding attackers in targeting known vulnerabilities. Remove the version number.
Got: nginx/1.28.0

Strict-Transport-Security forces browsers to use HTTPS, preventing downgrade attacks. Add the header with a max-age of at least 1 year.

Expected: max-age=31536000; includeSubDomains
Why this matters

Without HSTS, a network attacker can downgrade the very first connection to HTTP and steal the user's session.

Learn more

HSTS tells browsers 'never speak HTTP to this domain again.' Without it, a network attacker (public WiFi, malicious ISP, hostile DNS) intercepts the first HTTP attempt and serves a downgraded version of your site. One header, big surface reduction.

Source: RFC 6797 / OWASP

Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.

Expected: strict-origin-when-cross-origin
Why this matters

Default browser behavior leaks full URLs (including query params and tokens) to every third-party resource — set a strict policy.

Learn more

Without a Referrer-Policy header, browsers send the full referring URL with images, scripts, and fonts loaded from third-party origins. URLs containing tokens, user IDs, or session params end up in third-party logs. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter) to limit leakage.

Source: MDN / W3C

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

The Server header discloses the software version, aiding attackers in targeting known vulnerabilities. Remove the version number.

Why this matters

Server: nginx/1.18.0 tells attackers exactly which CVEs to test — strip the version string.

Learn more

Server version disclosure helps attackers select exploits matching your stack. Configure your server to omit the version (nginx: `server_tokens off;`, Apache: `ServerTokens Prod`). Doesn't fix vulnerabilities but removes the easy reconnaissance step.

Source: OWASP

D
Content Security Policy
Action
5 of 10 CSP checks passed
FIX
5 of 10 CSP checks passed
Info::
Raw CSP policy
Got: base-uri 'self'; connect-src https://*.adlooxtracking.com https://*.adlooxtracking.ru https://*.adsafeprotected.com https://*.cold-video.dzeninfra.ru https://*.doubleverify.com https://*.dzen.ru https://*.extcdn.dzeninfra.ru https://*.gstatic.com https://*.hot-video.dzeninfra.ru https://*.imgsmail.ru https://*.mail.ru https://*.moatads.com https://*.mradx.net https://*.mycdn.me https://*.odkl.ru https://*.ok.ru https://*.okcdn.ru https://api.rustore.ru https://*.serving-sys.com https://*.serving-sys.ru https://*.vk.com https://*.vk.ru https://*.vkuser.net https://*.vkuserphoto.ru https://*.weborama-tech.ru https://*.weborama.fr https://an.yandex.ru https://avatars.dzeninfra.ru https://b.delivery.consentmanager.net https://cdn.consentmanager.mgr.consensu.org https://cdn.consentmanager.net https://cdn.dzen.ru https://cold-video.dzeninfra.ru https://consentmanager.mgr.consensu.org https://home.cdn-vk.ru https://dzen.ru https://home.mrgcdn.ru https://jstracer.yandex.ru https://log.strm.yandex.ru https://mail.ru https://mc.yandex.by https://mc.yandex.com https://mc.yandex.fr https://mc.yandex.kz https://mc.yandex.md https://mc.yandex.ru https://mc.yandex.uz https://ok.ru https://playlog.dzen.ru https://sdk-api.apptracer.ru https://s3.dzeninfra.ru https://static.dzeninfra.ru https://strm.yandex.ru https://telemetry.dzen.ru https://verify.yandex.ru https://video.dzen.ru https://vk.com https://vk.ru https://yandex.ru https://www.google-analytics.com https://yandex.st https://yastat.net https://yastatic.net https://*.strm.yandex.net https://ymetrica1.com https://csp.yandex.net https://zen-int.dzeninfra.ru; default-src 'none'; font-src blob: data: https://*.imgsmail.ru https://*.mail.ru https://*.mradx.net https://an.yandex.ru https://static.dzeninfra.ru https://yastat.net https://yastatic.net 'self'; form-action https://account.mail.ru https://auth.mail.ru https://e.mail.ru https://yandex.ru https://widgets.mail.ru 'self'; frame-src https://*.doubleverify.com https://*.imgsmail.ru https://*.mail.ru https://*.mradx.net https://*.ok.ru https://*.vk.com https://*.vk.ru https://*.yandex.ru https://app.appsflyer.com https://awaps.yandex.net https://mail.ru https://mc.yandex.by https://mc.yandex.com https://mc.yandex.fr https://mc.yandex.kz https://mc.yandex.md https://mc.yandex.ru https://mc.yandex.uz https://mini.vkplay.ru https://ok.ru https://vk.com https://vk.ru https://vkvideo.ru https://yandex.ru https://yastat.net https://yastatic.net https://widgets.mail.ru https://forms.cdn-vk.ru; img-src blob: data: https://*.mail.ru https://*.okcdn.ru https://*.radar.imgsmail.ru https://*.targetads.io https://*.vkuserphoto.ru https://static.rustore.ru https://*.userapi.com https://*.zen.zeta.dzen.ru https://presizer.imgsmail.ru https://promoimages.datacloudmail.ru https://promoimages.hb.ru-msk.vkcloud-storage.ru https://i.mycdn.me https://a.delivery.consentmanager.net https://ad.adriver.ru https://amc.yandex.ru https://an.yandex.ru https://avatars.dzeninfra.ru https://avatars.mds.yandex.net https://bs.serving-sys.com https://bs.serving-sys.ru https://bs.yandex.ru https://cdn.consentmanager.mgr.consensu.org https://cdn.consentmanager.net https://cdn.dzen.ru https://counter.yadro.ru https://d.mradx.net https://dzen.ru https://favicon.yandex.net https://fmdata.imgsmail.ru https://home.cdn-vk.ru https://home.imgsmail.ru https://img.imgsmail.ru https://imgs2.imgsmail.ru https://impression.appsflyer.com https://likemore-go.imgsmail.ru https://limg.imgsmail.ru https://mc.yandex.by https://mc.yandex.com https://mc.yandex.fr https://mc.yandex.kz https://mc.yandex.md https://mc.yandex.ru https://mc.yandex.uz https://mgcomru.solution.weborama.fr https://pixel.adlooxtracking.ru https://playlog.dzen.ru https://pogoda.imgsmail.ru https://promoimages.hb.bizmrg.com https://pulse.imgsmail.ru https://r.mradx.net https://s3.dzeninfra.ru https://static.dzeninfra.ru https://storage.mds.yandex.net https://verify.yandex.ru https://video.dzen.ru https://vkvideo.ru https://prod-backend.hb.bizmrg.com https://vk.com https://vk.ru https://vkplay.ru https://wcm-ru.frontend.weborama.fr https://wcm.weborama-tech.ru https://www.tns-counter.ru https://www.google-analytics.com https://www.googletagmanager.com https://yandex.ru https://yastatic.net 'self'; manifest-src https://limg.imgsmail.ru; media-src blob: data: https://*.cold-video.dzeninfra.ru https://*.extcdn.dzeninfra.ru https://*.hot-video.dzeninfra.ru https://*.imgsmail.ru https://*.mail.ru https://*.mradx.net https://*.ok.ru https://*.strm.yandex.ru https://*.vk.com https://*.vk.ru https://*.yandex.net https://cdn.dzen.ru https://cold-video.dzeninfra.ru https://home.cdn-vk.ru https://mail.ru https://ok.ru https://strm.yandex.ru https://video.dzen.ru https://vk.com https://vk.ru https://yandex.ru https://yandex.st https://yastat.net https://yastatic.net https://*.strm.yandex.net https://*.mycdn.me https://*.okcdn.ru https://*.vkuser.net https://*.targetads.io; script-src 'self' https://*.adlooxtracking.com https://*.adlooxtracking.ru https://*.adsafeprotected.com https://*.doubleverify.com https://*.imgsmail.ru https://*.mail.ru https://*.moatads.com https://*.mradx.net https://*.serving-sys.com https://*.serving-sys.ru https://*.vk.com https://*.vk.ru https://*.weborama-tech.ru https://*.weborama.fr https://an.yandex.ru https://b.delivery.consentmanager.net https://cdn.consentmanager.mgr.consensu.org https://cdn.consentmanager.net https://consentmanager.mgr.consensu.org https://home.cdn-vk.ru https://home.mrgcdn.ru https://iframe.s3.yandex.net https://mail.ru https://mc.yandex.by https://mc.yandex.com https://mc.yandex.fr https://mc.yandex.kz https://mc.yandex.md https://mc.yandex.ru https://mc.yandex.uz https://ok.ru https://st.mycdn.me https://st.okcdn.ru https://static.dzeninfra.ru https://vk.com https://vk.ru https://www.google-analytics.com https://ssl.google-analytics.com https://yandex.ru https://yandex.st https://yastat.net https://yastatic.net 'unsafe-eval' 'unsafe-inline' 'nonce-933ff19fa3c71bf3fb9af703f169a49e' 'strict-dynamic' 'report-sample'; style-src 'self' blob: https://*.imgsmail.ru https://*.mail.ru https://*.mradx.net https://b.delivery.consentmanager.net https://cdn.consentmanager.mgr.consensu.org https://cdn.consentmanager.net https://consentmanager.mgr.consensu.org https://home.cdn-vk.ru https://home.mrgcdn.ru https://static.dzeninfra.ru https://yandex.st https://yastat.net https://yastatic.net 'unsafe-eval' 'unsafe-inline'; report-uri https://cspreport.mail.ru/home?disposition=report&rev=22.01.26;
Info::
default-src directive is set
Got: default-src 'none'
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'self' https://*.adlooxtracking.com https://*.adlooxtracking.ru https://*.adsafeprotected.com https://*.doubleverify.com https://*.imgsmail.ru https://*.mail.ru https://*.moatads.com https://*.mradx.net https://*.serving-sys.com https://*.serving-sys.ru https://*.vk.com https://*.vk.ru https://*.weborama-tech.ru https://*.weborama.fr https://an.yandex.ru https://b.delivery.consentmanager.net https://cdn.consentmanager.mgr.consensu.org https://cdn.consentmanager.net https://consentmanager.mgr.consensu.org https://home.cdn-vk.ru https://home.mrgcdn.ru https://iframe.s3.yandex.net https://mail.ru https://mc.yandex.by https://mc.yandex.com https://mc.yandex.fr https://mc.yandex.kz https://mc.yandex.md https://mc.yandex.ru https://mc.yandex.uz https://ok.ru https://st.mycdn.me https://st.okcdn.ru https://static.dzeninfra.ru https://vk.com https://vk.ru https://www.google-analytics.com https://ssl.google-analytics.com https://yandex.ru https://yandex.st https://yastat.net https://yastatic.net 'unsafe-eval' 'unsafe-inline' 'nonce-933ff19fa3c71bf3fb9af703f169a49e' 'strict-dynamic' 'report-sample'
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'self' https://*.adlooxtracking.com https://*.adlooxtracking.ru https://*.adsafeprotected.com https://*.doubleverify.com https://*.imgsmail.ru https://*.mail.ru https://*.moatads.com https://*.mradx.net https://*.serving-sys.com https://*.serving-sys.ru https://*.vk.com https://*.vk.ru https://*.weborama-tech.ru https://*.weborama.fr https://an.yandex.ru https://b.delivery.consentmanager.net https://cdn.consentmanager.mgr.consensu.org https://cdn.consentmanager.net https://consentmanager.mgr.consensu.org https://home.cdn-vk.ru https://home.mrgcdn.ru https://iframe.s3.yandex.net https://mail.ru https://mc.yandex.by https://mc.yandex.com https://mc.yandex.fr https://mc.yandex.kz https://mc.yandex.md https://mc.yandex.ru https://mc.yandex.uz https://ok.ru https://st.mycdn.me https://st.okcdn.ru https://static.dzeninfra.ru https://vk.com https://vk.ru https://www.google-analytics.com https://ssl.google-analytics.com https://yandex.ru https://yandex.st https://yastat.net https://yastatic.net 'unsafe-eval' 'unsafe-inline' 'nonce-933ff19fa3c71bf3fb9af703f169a49e' 'strict-dynamic' 'report-sample'
Info::
No wildcard in script source
Info::
object-src falls back to default-src
Info::
base-uri is properly restricted
Got: base-uri 'self'
Warning::
frame-ancestors directive is missing
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected: frame-ancestors 'self'
Info::
form-action directive is set
Got: form-action https://account.mail.ru https://auth.mail.ru https://e.mail.ru https://yandex.ru https://widgets.mail.ru 'self'
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests
Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

Parsed Policy

base-uri 'self'
connect-src https://*.adlooxtracking.comhttps://*.adlooxtracking.ruhttps://*.adsafeprotected.comhttps://*.cold-video.dzeninfra.ruhttps://*.doubleverify.comhttps://*.dzen.ruhttps://*.extcdn.dzeninfra.ruhttps://*.gstatic.comhttps://*.hot-video.dzeninfra.ruhttps://*.imgsmail.ruhttps://*.mail.ruhttps://*.moatads.comhttps://*.mradx.nethttps://*.mycdn.mehttps://*.odkl.ruhttps://*.ok.ruhttps://*.okcdn.ruhttps://api.rustore.ruhttps://*.serving-sys.comhttps://*.serving-sys.ruhttps://*.vk.comhttps://*.vk.ruhttps://*.vkuser.nethttps://*.vkuserphoto.ruhttps://*.weborama-tech.ruhttps://*.weborama.frhttps://an.yandex.ruhttps://avatars.dzeninfra.ruhttps://b.delivery.consentmanager.nethttps://cdn.consentmanager.mgr.consensu.orghttps://cdn.consentmanager.nethttps://cdn.dzen.ruhttps://cold-video.dzeninfra.ruhttps://consentmanager.mgr.consensu.orghttps://home.cdn-vk.ruhttps://dzen.ruhttps://home.mrgcdn.ruhttps://jstracer.yandex.ruhttps://log.strm.yandex.ruhttps://mail.ruhttps://mc.yandex.byhttps://mc.yandex.comhttps://mc.yandex.frhttps://mc.yandex.kzhttps://mc.yandex.mdhttps://mc.yandex.ruhttps://mc.yandex.uzhttps://ok.ruhttps://playlog.dzen.ruhttps://sdk-api.apptracer.ruhttps://s3.dzeninfra.ruhttps://static.dzeninfra.ruhttps://strm.yandex.ruhttps://telemetry.dzen.ruhttps://verify.yandex.ruhttps://video.dzen.ruhttps://vk.comhttps://vk.ruhttps://yandex.ruhttps://www.google-analytics.comhttps://yandex.sthttps://yastat.nethttps://yastatic.nethttps://*.strm.yandex.nethttps://ymetrica1.comhttps://csp.yandex.nethttps://zen-int.dzeninfra.ru
default-src 'none'
font-src blob:data:https://*.imgsmail.ruhttps://*.mail.ruhttps://*.mradx.nethttps://an.yandex.ruhttps://static.dzeninfra.ruhttps://yastat.nethttps://yastatic.net'self'
form-action https://account.mail.ruhttps://auth.mail.ruhttps://e.mail.ruhttps://yandex.ruhttps://widgets.mail.ru'self'
frame-src https://*.doubleverify.comhttps://*.imgsmail.ruhttps://*.mail.ruhttps://*.mradx.nethttps://*.ok.ruhttps://*.vk.comhttps://*.vk.ruhttps://*.yandex.ruhttps://app.appsflyer.comhttps://awaps.yandex.nethttps://mail.ruhttps://mc.yandex.byhttps://mc.yandex.comhttps://mc.yandex.frhttps://mc.yandex.kzhttps://mc.yandex.mdhttps://mc.yandex.ruhttps://mc.yandex.uzhttps://mini.vkplay.ruhttps://ok.ruhttps://vk.comhttps://vk.ruhttps://vkvideo.ruhttps://yandex.ruhttps://yastat.nethttps://yastatic.nethttps://widgets.mail.ruhttps://forms.cdn-vk.ru
img-src blob:data:https://*.mail.ruhttps://*.okcdn.ruhttps://*.radar.imgsmail.ruhttps://*.targetads.iohttps://*.vkuserphoto.ruhttps://static.rustore.ruhttps://*.userapi.comhttps://*.zen.zeta.dzen.ruhttps://presizer.imgsmail.ruhttps://promoimages.datacloudmail.ruhttps://promoimages.hb.ru-msk.vkcloud-storage.ruhttps://i.mycdn.mehttps://a.delivery.consentmanager.nethttps://ad.adriver.ruhttps://amc.yandex.ruhttps://an.yandex.ruhttps://avatars.dzeninfra.ruhttps://avatars.mds.yandex.nethttps://bs.serving-sys.comhttps://bs.serving-sys.ruhttps://bs.yandex.ruhttps://cdn.consentmanager.mgr.consensu.orghttps://cdn.consentmanager.nethttps://cdn.dzen.ruhttps://counter.yadro.ruhttps://d.mradx.nethttps://dzen.ruhttps://favicon.yandex.nethttps://fmdata.imgsmail.ruhttps://home.cdn-vk.ruhttps://home.imgsmail.ruhttps://img.imgsmail.ruhttps://imgs2.imgsmail.ruhttps://impression.appsflyer.comhttps://likemore-go.imgsmail.ruhttps://limg.imgsmail.ruhttps://mc.yandex.byhttps://mc.yandex.comhttps://mc.yandex.frhttps://mc.yandex.kzhttps://mc.yandex.mdhttps://mc.yandex.ruhttps://mc.yandex.uzhttps://mgcomru.solution.weborama.frhttps://pixel.adlooxtracking.ruhttps://playlog.dzen.ruhttps://pogoda.imgsmail.ruhttps://promoimages.hb.bizmrg.comhttps://pulse.imgsmail.ruhttps://r.mradx.nethttps://s3.dzeninfra.ruhttps://static.dzeninfra.ruhttps://storage.mds.yandex.nethttps://verify.yandex.ruhttps://video.dzen.ruhttps://vkvideo.ruhttps://prod-backend.hb.bizmrg.comhttps://vk.comhttps://vk.ruhttps://vkplay.ruhttps://wcm-ru.frontend.weborama.frhttps://wcm.weborama-tech.ruhttps://www.tns-counter.ruhttps://www.google-analytics.comhttps://www.googletagmanager.comhttps://yandex.ruhttps://yastatic.net'self'
manifest-src https://limg.imgsmail.ru
media-src blob:data:https://*.cold-video.dzeninfra.ruhttps://*.extcdn.dzeninfra.ruhttps://*.hot-video.dzeninfra.ruhttps://*.imgsmail.ruhttps://*.mail.ruhttps://*.mradx.nethttps://*.ok.ruhttps://*.strm.yandex.ruhttps://*.vk.comhttps://*.vk.ruhttps://*.yandex.nethttps://cdn.dzen.ruhttps://cold-video.dzeninfra.ruhttps://home.cdn-vk.ruhttps://mail.ruhttps://ok.ruhttps://strm.yandex.ruhttps://video.dzen.ruhttps://vk.comhttps://vk.ruhttps://yandex.ruhttps://yandex.sthttps://yastat.nethttps://yastatic.nethttps://*.strm.yandex.nethttps://*.mycdn.mehttps://*.okcdn.ruhttps://*.vkuser.nethttps://*.targetads.io
script-src 'self'https://*.adlooxtracking.comhttps://*.adlooxtracking.ruhttps://*.adsafeprotected.comhttps://*.doubleverify.comhttps://*.imgsmail.ruhttps://*.mail.ruhttps://*.moatads.comhttps://*.mradx.nethttps://*.serving-sys.comhttps://*.serving-sys.ruhttps://*.vk.comhttps://*.vk.ruhttps://*.weborama-tech.ruhttps://*.weborama.frhttps://an.yandex.ruhttps://b.delivery.consentmanager.nethttps://cdn.consentmanager.mgr.consensu.orghttps://cdn.consentmanager.nethttps://consentmanager.mgr.consensu.orghttps://home.cdn-vk.ruhttps://home.mrgcdn.ruhttps://iframe.s3.yandex.nethttps://mail.ruhttps://mc.yandex.byhttps://mc.yandex.comhttps://mc.yandex.frhttps://mc.yandex.kzhttps://mc.yandex.mdhttps://mc.yandex.ruhttps://mc.yandex.uzhttps://ok.ruhttps://st.mycdn.mehttps://st.okcdn.ruhttps://static.dzeninfra.ruhttps://vk.comhttps://vk.ruhttps://www.google-analytics.comhttps://ssl.google-analytics.comhttps://yandex.ruhttps://yandex.sthttps://yastat.nethttps://yastatic.net'unsafe-eval''unsafe-inline''nonce-933ff19fa3c71bf3fb9af703f169a49e''strict-dynamic''report-sample'
style-src 'self'blob:https://*.imgsmail.ruhttps://*.mail.ruhttps://*.mradx.nethttps://b.delivery.consentmanager.nethttps://cdn.consentmanager.mgr.consensu.orghttps://cdn.consentmanager.nethttps://consentmanager.mgr.consensu.orghttps://home.cdn-vk.ruhttps://home.mrgcdn.ruhttps://static.dzeninfra.ruhttps://yandex.sthttps://yastat.nethttps://yastatic.net'unsafe-eval''unsafe-inline'
report-uri https://cspreport.mail.ru/home?disposition=report&rev=22.01.26
F
Subresource Integrity
Action
0 of 35 external resources have SRI
FIX
0 of 35 external resources have SRI
Warning::
External script from top-fwz1.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://top-fwz1.mail.ru/js/code.js
Warning::
External script from yandex.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://yandex.ru/ads/system/context.js
Warning::
External script from yandex.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //yandex.ru/ads/system/context.js
Warning::
External script from top-fwz1.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://top-fwz1.mail.ru/js/code.js
Warning::
External script from mc.yandex.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://mc.yandex.ru/metrika/tag.js
Warning::
External script from imgs2.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://imgs2.imgsmail.ru/@mail-core/logger-preset/home.js?&v17.7.1&pv=17.7.1&f=1776358440000-0
Warning::
External link from home.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //home.imgsmail.ru/resplash/746289/c/theme-system-578870604922.css
Warning::
External link from home.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //home.imgsmail.ru/resplash/746289/c/cdn-52e0ecdd-ad9cd58a.css
Warning::
External link from home.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //home.imgsmail.ru/resplash/746289/c/cdn-app-65dc267e.css
Warning::
External script from limg.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://limg.imgsmail.ru/pkgs/whiteline/2.230.0/external.crossnav.modern.js
Warning::
External script from img.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://img.imgsmail.ru/hb/e.mail.ru/auth.gate/2.11.2/authGate.js?onload=__AG_onload
Warning::
External script from vk.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://vk.com/js/api/videoplayer.js
Warning::
External script from static.dzeninfra.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.dzeninfra.ru/s3/zen-apps/mailru-morda-desktop/1.134.0/loader.modern.bundle.js
Warning::
External script from yastatic.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://yastatic.net/safeframe-bundles/0.83/host.js
Warning::
External script from static.dzeninfra.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.dzeninfra.ru/s3/zen-apps/mailru-morda-desktop/1.134.0/app.modern.bundle.js
Warning::
External link from static.dzeninfra.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.dzeninfra.ru/s3/zen-apps/mailru-morda-desktop/1.134.0/app.modern.css
Warning::
External script from static.dzeninfra.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.dzeninfra.ru/s3/zen-apps/video-player-core/1.138.0/one.modern.bundle.js
Warning::
External script from ad.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://ad.mail.ru/static/ads-async.js
Warning::
External script from r.mradx.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://r.mradx.net/img/29/F207CB.js
Warning::
External script from yandex.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://yandex.ru/ads/system/adsdk.js
Warning::
External script from yastatic.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://yastatic.net/partner-code-bundles/1304600/vas-bundles/bundles-es2017/multiroll.bundle.js
Warning::
External script from www.gstatic.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //www.gstatic.com/cast/sdk/libs/sender/1.0/cast_framework.js
Warning::
External script from www.gstatic.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //www.gstatic.com/eureka/clank/147/cast_sender.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-1M15Q3KLDM
Warning::
External script from home.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //home.imgsmail.ru/resplash/746289/j/slidotype-t_K4qOoA.js
Warning::
External link from limg.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://limg.imgsmail.ru/pkgs/whiteline/2.230.0/external.crossnav.css
Warning::
External script from limg.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://limg.imgsmail.ru/pkgs/whiteline/2.230.0/inline.modern.js
Warning::
External script from home.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://home.imgsmail.ru/antares/test/test.js
Warning::
External script from limg.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://limg.imgsmail.ru/informers/resplash/test.js
Warning::
External script from imgs2.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://imgs2.imgsmail.ru/test.js
Warning::
External script from home.imgsmail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //home.imgsmail.ru/resplash/746289/j/app-deo2EbSW.js
Warning::
External script from privacy-cs.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://privacy-cs.mail.ru/static/sync-loader.js
Warning::
External script from top-fwz1.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://top-fwz1.mail.ru/js/dyn-goal-config.js?ids=3217024,110605
Warning::
External script from top-fwz1.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://top-fwz1.mail.ru/js/dyn-goal-config.js?ids=3413017
Warning::
External script from www.gstatic.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.gstatic.com/cv/js/sender/v1/cast_sender.js?loadCastFramework=1
SRI Coverage 0 / 35 of external resources have integrity hashes
TagDomainIntegrity
<script>top-fwz1.mail.ru Missing
<script>yandex.ru Missing
<script>yandex.ru Missing
<script>top-fwz1.mail.ru Missing
<script>mc.yandex.ru Missing
<script>imgs2.imgsmail.ru Missing
<link>home.imgsmail.ru Missing
<link>home.imgsmail.ru Missing
<link>home.imgsmail.ru Missing
<script>limg.imgsmail.ru Missing
<script>img.imgsmail.ru Missing
<script>vk.com Missing
<script>static.dzeninfra.ru Missing
<script>yastatic.net Missing
<script>static.dzeninfra.ru Missing
<link>static.dzeninfra.ru Missing
<script>static.dzeninfra.ru Missing
<script>ad.mail.ru Missing
<script>r.mradx.net Missing
<script>yandex.ru Missing
<script>yastatic.net Missing
<script>www.gstatic.com Missing
<script>www.gstatic.com Missing
<script>www.googletagmanager.com Missing
<script>home.imgsmail.ru Missing
<link>limg.imgsmail.ru Missing
<script>limg.imgsmail.ru Missing
<script>home.imgsmail.ru Missing
<script>limg.imgsmail.ru Missing
<script>imgs2.imgsmail.ru Missing
<script>home.imgsmail.ru Missing
<script>privacy-cs.mail.ru Missing
<script>top-fwz1.mail.ru Missing
<script>top-fwz1.mail.ru Missing
<script>www.gstatic.com Missing
D
Permissions-Policy
Action
No header set
FIX
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
D
security.txt
Action
No /.well-known/security.txt published
FIX

security.txt

No security.txt found at /.well-known/security.txt

B
Cookie Security
5 cookies analyzed, 12 checks passed
REVIEW
5 cookies analyzed, 12 checks passed
Info::
Cookie 'act' has the Secure flag
Info::
Cookie 'act' has the HttpOnly flag
Info::
Cookie 'act' has SameSite=None
Critical::
Cookie 'oid' is missing the Secure flag
Without the Secure flag, this cookie can be sent over unencrypted HTTP, exposing it to interception.
Warning::
Cookie 'oid' is missing the HttpOnly flag
Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.
Warning::
Cookie 'oid' has no SameSite attribute
Without an explicit SameSite attribute, browser default behavior varies. Set SameSite=Lax or Strict.
Info::
Cookie 'act' has the Secure flag
Info::
Cookie 'act' has the HttpOnly flag
Info::
Cookie 'act' has SameSite=None
Info::
Cookie 'autologin' has the Secure flag
Info::
Cookie 'autologin' has the HttpOnly flag
Info::
Cookie 'autologin' has SameSite=None
Info::
Cookie 'mrcu' has the Secure flag
Info::
Cookie 'mrcu' has the HttpOnly flag
Info::
Cookie 'mrcu' has SameSite=None
5 cookies analyzed 1 critical 2 warnings
NameSecureHttpOnlySameSiteSizeIssues
actNone35 B
oid24 B3
actNone35 B
autologinNone11 B
mrcuNone32 B
B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
B
Transport Security
HTTP/3, HSTS, and TLS version analysis
REVIEW
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Warning::
Missing Strict-Transport-Security header
HSTS tells browsers to only use HTTPS, preventing SSL stripping attacks.
A+
TLS & Certificates
TLS 1.2, 7 checks passed
PASS
TLS 1.2, 7 checks passed
Info::
TLS 1.2 is used
Got: TLS 1.2
Info::
TLS 1.3 is not negotiated
TLS 1.3 offers improved performance and security. Consider enabling it.
Got: TLS 1.2
Info::
Strong cipher suite is used
Got: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 219 days)
Got: 2026-11-22T12:52:02Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 6 domain(s)
Got: *.mail.ru, bk.ru, inbox.ru, list.ru, xn--i1aeb2e.xn--p1ai, mail.ru
Info::
Certificate is issued by a trusted CA
Got: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE

TLS 1.3 offers improved performance and security. Consider enabling it.

Why this matters

TLS 1.3 not in use — connection falls back to 1.2 and pays the extra round-trip.

Learn more

Most clients prefer TLS 1.3 if both sides support it. If your server has TLS 1.3 enabled but it's not being negotiated, check for a downgrade-attack mitigation issue or a misconfigured cipher list. nginx ≥ 1.13.0 and OpenSSL ≥ 1.1.1 support TLS 1.3.

Source: RFC 8446 / Mozilla SSL Config

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.2
Cipher Suite
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=*.mail.ru,O=VK LLC,L=Moscow,ST=Moscow,C=RUIssuer CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BEValid 2025-10-21T12:52:03Z → 2026-11-22T12:52:02ZExpires in 219 days SANs *.mail.ru, bk.ru, inbox.ru, list.ru, xn--i1aeb2e.xn--p1ai, mail.ruSignature SHA256-RSASerial 1aa2ab52dc4e5fe1764542d8
Intermediate (CA Certificate)
Subject CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BEIssuer CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignValid 2018-11-21T00:00:00Z → 2028-11-21T00:00:00ZExpires in 949 days Signature SHA256-RSASerial 1ee5f221dfc623bd4333a8557
Intermediate (CA Certificate)
Subject CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignIssuer CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignValid 2009-03-18T10:00:00Z → 2029-03-18T10:00:00ZExpires in 1066 days Signature SHA256-RSASerial 4000000000121585308a2
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt ExposedSecurity PolicyInfo
A+
Email Security
DMARC: reject
PASS
DMARC: reject
Info::
DMARC policy is reject — strongest protection
DMARC
Policy reject — strongest protection Record v=DMARC1;p=reject;rua=mailto:dmarc_rua@corp.mail.ru;
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback