Skip to content
https://pornbox.com

Security

· 33 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
81
GRADE
B
FIX
5
REVIEW
9
PASS
19
INFO
0
Checks
33
19 PASS 9 REVIEW 5 FIX
F
Content Security Policy
Action
3 of 10 CSP checks passed
FIX
3 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src 'self' wss://pornbox.com/socket.io/ wss://*.gtflixtv.com/socket.io/ *.pornbox.com pornbox.com cdn.plyr.io www.google-analytics.com https://ampcid.google.com https://stats.g.doubleclick.net/j/collect *.google-analytics.com *.analytics.google.com *.googleapis.com *.firebaseio.com *.googletagmanager.com https://*.gtflixtv.com *.gtflixtv.com translate.googleapis.com browser.translate.yandex.net translate.yandex.com api.cognitive.microsofttranslator.com edge.microsoft.com www.google.com/recaptcha/ *.st-content.com *.bangbros.com translate.google.com google-analytics.com https://ssl.google-analytics.com https://www.gstatic.com/recaptcha/ googletagmanager.com https://www.googletagmanager.com cdn.jsdelivr.net/npm/emojione@3.1.2/ tracking.sexcash.com;script-src 'self' *.gtflixtv.com *.pornbox.com *.st-content.com *.googleapis.com *.bangbros.com translate.google.com browser.translate.yandex.net translate.yandex.com google-analytics.com https://ssl.google-analytics.com www.google-analytics.com www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ googletagmanager.com https://www.googletagmanager.com cdn.jsdelivr.net/npm/emojione@3.1.2/ tracking.sexcash.com 'unsafe-inline' 'unsafe-eval' https://www.analvids.com/ *.analvids.com https://account.analvids.com/ *.analvids.com;object-src 'none';img-src 'self' data: *.gtflixtv.com cdn.jsdelivr.net/emojione/assets/ www.google-analytics.com *.google-analytics.com *.analytics.google.com https://www.google.com/ads/ga-audiences www.googletagmanager.com ssl.gstatic.com www.gstatic.com stats.g.doubleclick.net/r/ translate.google.com fonts.gstatic.com *.sheer.com;font-src 'self' data: fonts.gstatic.com;connect-src 'self' wss://pornbox.com/socket.io/ wss://*.gtflixtv.com/socket.io/ *.pornbox.com pornbox.com cdn.plyr.io www.google-analytics.com https://ampcid.google.com https://stats.g.doubleclick.net/j/collect *.google-analytics.com *.analytics.google.com *.googleapis.com *.firebaseio.com *.googletagmanager.com https://*.gtflixtv.com *.gtflixtv.com translate.googleapis.com browser.translate.yandex.net translate.yandex.com api.cognitive.microsofttranslator.com edge.microsoft.com www.google.com/recaptcha/;style-src * 'unsafe-inline';report-uri /report/violation
Info::
default-src directive is set
Got: default-src 'self' wss://pornbox.com/socket.io/ wss://*.gtflixtv.com/socket.io/ *.pornbox.com pornbox.com cdn.plyr.io www.google-analytics.com https://ampcid.google.com https://stats.g.doubleclick.net/j/collect *.google-analytics.com *.analytics.google.com *.googleapis.com *.firebaseio.com *.googletagmanager.com https://*.gtflixtv.com *.gtflixtv.com translate.googleapis.com browser.translate.yandex.net translate.yandex.com api.cognitive.microsofttranslator.com edge.microsoft.com www.google.com/recaptcha/ *.st-content.com *.bangbros.com translate.google.com google-analytics.com https://ssl.google-analytics.com https://www.gstatic.com/recaptcha/ googletagmanager.com https://www.googletagmanager.com cdn.jsdelivr.net/npm/emojione@3.1.2/ tracking.sexcash.com
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'self' *.gtflixtv.com *.pornbox.com *.st-content.com *.googleapis.com *.bangbros.com translate.google.com browser.translate.yandex.net translate.yandex.com google-analytics.com https://ssl.google-analytics.com www.google-analytics.com www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ googletagmanager.com https://www.googletagmanager.com cdn.jsdelivr.net/npm/emojione@3.1.2/ tracking.sexcash.com 'unsafe-inline' 'unsafe-eval' https://www.analvids.com/ *.analvids.com https://account.analvids.com/ *.analvids.com
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'self' *.gtflixtv.com *.pornbox.com *.st-content.com *.googleapis.com *.bangbros.com translate.google.com browser.translate.yandex.net translate.yandex.com google-analytics.com https://ssl.google-analytics.com www.google-analytics.com www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ googletagmanager.com https://www.googletagmanager.com cdn.jsdelivr.net/npm/emojione@3.1.2/ tracking.sexcash.com 'unsafe-inline' 'unsafe-eval' https://www.analvids.com/ *.analvids.com https://account.analvids.com/ *.analvids.com
Info::
No wildcard in script source
Info::
object-src is set to 'none'
Got: object-src 'none'
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Warning::
frame-ancestors directive is missing
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
Expected: frame-ancestors 'self'
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'
Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.

Expected: frame-ancestors 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.

Expected: upgrade-insecure-requests
Why this matters

Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.

Learn more

Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.

Source: MDN CSP

Parsed Policy

default-src 'self'wss://pornbox.com/socket.io/wss://*.gtflixtv.com/socket.io/*.pornbox.compornbox.comcdn.plyr.iowww.google-analytics.comhttps://ampcid.google.comhttps://stats.g.doubleclick.net/j/collect*.google-analytics.com*.analytics.google.com*.googleapis.com*.firebaseio.com*.googletagmanager.comhttps://*.gtflixtv.com*.gtflixtv.comtranslate.googleapis.combrowser.translate.yandex.nettranslate.yandex.comapi.cognitive.microsofttranslator.comedge.microsoft.comwww.google.com/recaptcha/*.st-content.com*.bangbros.comtranslate.google.comgoogle-analytics.comhttps://ssl.google-analytics.comhttps://www.gstatic.com/recaptcha/googletagmanager.comhttps://www.googletagmanager.comcdn.jsdelivr.net/npm/emojione@3.1.2/tracking.sexcash.com
script-src 'self'*.gtflixtv.com*.pornbox.com*.st-content.com*.googleapis.com*.bangbros.comtranslate.google.combrowser.translate.yandex.nettranslate.yandex.comgoogle-analytics.comhttps://ssl.google-analytics.comwww.google-analytics.comwww.google.com/recaptcha/https://www.gstatic.com/recaptcha/googletagmanager.comhttps://www.googletagmanager.comcdn.jsdelivr.net/npm/emojione@3.1.2/tracking.sexcash.com'unsafe-inline''unsafe-eval'https://www.analvids.com/*.analvids.comhttps://account.analvids.com/*.analvids.com
object-src 'none'
img-src 'self'data:*.gtflixtv.comcdn.jsdelivr.net/emojione/assets/www.google-analytics.com*.google-analytics.com*.analytics.google.comhttps://www.google.com/ads/ga-audienceswww.googletagmanager.comssl.gstatic.comwww.gstatic.comstats.g.doubleclick.net/r/translate.google.comfonts.gstatic.com*.sheer.com
font-src 'self'data:fonts.gstatic.com
connect-src 'self'wss://pornbox.com/socket.io/wss://*.gtflixtv.com/socket.io/*.pornbox.compornbox.comcdn.plyr.iowww.google-analytics.comhttps://ampcid.google.comhttps://stats.g.doubleclick.net/j/collect*.google-analytics.com*.analytics.google.com*.googleapis.com*.firebaseio.com*.googletagmanager.comhttps://*.gtflixtv.com*.gtflixtv.comtranslate.googleapis.combrowser.translate.yandex.nettranslate.yandex.comapi.cognitive.microsofttranslator.comedge.microsoft.comwww.google.com/recaptcha/
style-src *'unsafe-inline'
report-uri /report/violation
F
Empty Page Detection
Action
1 empty-page signal(s) detected -- page may be a placeholder or have content-rendering bugs
FIX
1 empty-page signal(s) detected -- page may be a placeholder or have content-rendering bugs
Critical::
Page body has only 131 chars of text -- likely empty / placeholder
After HTML stripping, the page body contains 131 characters of text content. Below 200 chars almost always means: (1) the page is a placeholder that was never filled in, (2) JavaScript was supposed to render content but failed, (3) the page is a redirect / interstitial / wrapper that should have a real status code other than 200, or (4) it's a legitimately small page like a single-form login (in which case this finding is a false positive that confirms 'minimal content' is intentional). Review the page in a browser. If content is missing, the most common root cause is a JS-rendering pipeline that needs prerendering or server-side rendering for crawlers / scanners to capture content.
Got: 131 chars
F
Subresource Integrity Adoption
Action
0% SRI adoption (0/2 third-party resources)
FIX
0% SRI adoption (0/2 third-party resources)
Warning::
SRI adoption: 0/2 third-party resources protected (0%)
Of 2 third-party `<script>` / `<link rel=stylesheet>` resources, 0 (0%) declare a Subresource Integrity hash via the `integrity=` attribute. SRI binds the page to the exact bytes of the third-party resource: if the CDN is compromised, attacker-modified bytes won't match the declared hash and the browser refuses to execute the resource. Missing SRI on (first 2 examples): - https://account.analvids.com/jdialog/box/1.js - //ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js Fix: add `integrity="sha384-..."` and `crossorigin="anonymous"` attributes. Generators: srihash.org, or in-browser via `await crypto.subtle.digest('SHA-384', bytes)`. Cache-bust the resource URL when you change versions, since the integrity hash will mismatch with old cached bytes.
Got: 0% (0/2)
F
Subresource Integrity
Action
0 of 2 external resources have SRI
FIX
0 of 2 external resources have SRI
Warning::
External script from account.analvids.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://account.analvids.com/jdialog/box/1.js
Warning::
External script from ajax.googleapis.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js
SRI Coverage 0 / 2 of external resources have integrity hashes
TagDomainIntegrity
<script>account.analvids.com Missing
<script>ajax.googleapis.com Missing
D
Permissions-Policy
Action
No header set
FIX
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
C
Security Headers
Action
6 of 10 headers properly configured
REVIEW
6 of 10 headers properly configured
Critical::
HSTS header is missing
Strict-Transport-Security forces browsers to use HTTPS, preventing downgrade attacks. Add the header with a max-age of at least 1 year.
Expected: max-age=31536000; includeSubDomains
Warning::
X-Content-Type-Options header is missing
This header prevents MIME-type sniffing, which can lead to XSS attacks. Set it to 'nosniff'.
Expected: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Info::
Referrer-Policy is properly configured
Got: no-referrer
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: default-src 'self' wss://pornbox.com/socket.io/ wss://*.gtflixtv.com/socket.io/ …
Info::
Cross-Origin-Opener-Policy is properly configured
Got: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: nginx
Info::
Domain is not in the Chrome HSTS preload list (status: unknown)
Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).
Got: unknown

Strict-Transport-Security forces browsers to use HTTPS, preventing downgrade attacks. Add the header with a max-age of at least 1 year.

Expected: max-age=31536000; includeSubDomains
Why this matters

Without HSTS, a network attacker can downgrade the very first connection to HTTP and steal the user's session.

Learn more

HSTS tells browsers 'never speak HTTP to this domain again.' Without it, a network attacker (public WiFi, malicious ISP, hostile DNS) intercepts the first HTTP attempt and serves a downgraded version of your site. One header, big surface reduction.

Source: RFC 6797 / OWASP

This header prevents MIME-type sniffing, which can lead to XSS attacks. Set it to 'nosniff'.

Expected: nosniff
Why this matters

MIME sniffing lets browsers run uploaded files as JavaScript, turning a file upload into an XSS.

Learn more

Setting X-Content-Type-Options: nosniff tells browsers to trust your declared Content-Type instead of guessing. Without it, an attacker who uploads a polyglot file can sometimes get it executed as a script. One header, no downside.

Source: OWASP / MDN

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

Submit your domain to hstspreload.org to close the trust-on-first-use gap. Requires a preload-ready HSTS header (max-age=31536000+, includeSubDomains, preload).

Why this matters

Not in the Chrome preload list — first-time visitors over plain HTTP can be downgraded by a network attacker before HSTS kicks in.

Learn more

The HSTS header only protects users who have already visited the site (TOFU window). Adding your domain to the Chrome preload list closes that gap so HSTS is enforced from the very first connection. Requires a preload-ready header (max-age=31536000+, includeSubDomains, preload) then submission at hstspreload.org. Inclusion ships in the next Chrome release after acceptance.

Source: hstspreload.org

B
WAF / Bot Protection
No WAF detected via response headers
REVIEW
No WAF detected via response headers
Info::
No WAF detected
Response headers don't match any known WAF or bot-management product. Sites exposed to abuse (login, signup, payment) typically benefit from a WAF such as Cloudflare, Akamai, AWS WAF, or Imperva.
B
security.txt
Vulnerability disclosure policy
REVIEW
Vulnerability disclosure policy
Info::
security.txt found
Got: https://pornbox.com/.well-known/security.txt
Warning::
security.txt: Missing required 'Contact' field
Warning::
security.txt: Missing required 'Expires' field (RFC 9116)

security.txt

B
Trusted Types (XSS Sink Hardening)
Trusted Types not enabled
REVIEW
Trusted Types not enabled
Info::
Trusted Types not enabled
Trusted Types (CSP3) is a Chrome 83+ defense that requires DOM-XSS sinks (innerHTML, document.write, eval, ...) to receive a typed-and-sanitized value rather than a raw string. Adding `Content-Security-Policy: require-trusted-types-for 'script'; trusted-types default` neutralizes most DOM-XSS even when a payload reaches a sink. Adoption is currently ~0.1% of pages so this is informational; a roll-out usually starts in report-only mode.
C
Permissions-Policy Granularity
Action
No Permissions-Policy header set -- powerful features (camera / microphone / geolocation / payment / USB) default to allow-on-same-origin
REVIEW
No Permissions-Policy header set -- powerful features (camera / microphone / geolocation / payment / USB) default to allow-on-same-origin
Warning::
Permissions-Policy header not set -- features default to allow-on-same-origin
Without a `Permissions-Policy` (or legacy `Feature-Policy`) header, every powerful browser feature defaults to its spec default policy (typically `self`). A third-party iframe injected via XSS or a misconfigured embed can still request access to the user's camera, microphone, geolocation, payment APIs, USB devices, etc. Explicitly deny features the page doesn't need: ``` Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=() ``` Features the page legitimately uses can stay enabled with `feature=(self)`.
Got: header absent
B
Email Security
DMARC: quarantine, SPF: -all, DKIM
REVIEW
DMARC: quarantine, SPF: -all, DKIM
Info::
DMARC policy is quarantine — good protection
Info::
DMARC configured without rua= aggregate reporting
Without rua=, you have no visibility into spoof attempts or auth failures from your own legitimate senders. Add rua=mailto:dmarc@<your-domain> (or a managed inbox at a reporting service).
Info::
SPF ends in -all (hard fail) — strongest setting
Info::
DKIM configured (selectors: default)
Info::
MTA-STS not configured
MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.
Info::
TLS-RPT not configured
TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.
Info::
BIMI not configured
BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.
DMARC
Policy quarantine — good protection Record v=DMARC1; p=quarantine;

Without rua=, you have no visibility into spoof attempts or auth failures from your own legitimate senders. Add rua=mailto:dmarc@<your-domain> (or a managed inbox at a reporting service).

Why this matters

Informational: a Permissions-Policy directive showing feature -> allowed origins.

Source: MDN Permissions-Policy

MTA-STS forces inbound mail to use TLS, preventing downgrade attacks. Requires both a TXT record at _mta-sts.<domain> and a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt.

Why this matters

Without MTA-STS, inbound mail can be silently downgraded to plain SMTP by a network attacker.

Learn more

MTA-STS (RFC 8461) tells sending mail servers to use TLS and to refuse delivery if TLS fails. Requires both a TXT record at _mta-sts.<domain> AND a policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt. Without it, an active attacker on the network path can strip STARTTLS and read the email in plaintext.

Source: RFC 8461

TLS-RPT (RFC 8460) lets MTAs report TLS-handshake failures, so you can detect and fix MTA-STS misconfigurations. Add a TXT record at _smtp._tls.<domain>.

Why this matters

Without TLS-RPT, you have no visibility into inbound TLS failures — MTA-STS misconfigurations stay hidden until users complain.

Learn more

TLS-RPT (RFC 8460) is the feedback channel for MTA-STS: senders post aggregate reports of TLS-handshake failures to the URI in your _smtp._tls TXT record. Without it, an MTA-STS misconfiguration silently rejects mail and you find out only when someone notices missing email.

Source: RFC 8460

BIMI (Brand Indicators for Message Identification) lets supporting clients (Gmail, Apple Mail, Yahoo) display your verified logo next to your messages. Optional but raises trust signals. Requires DMARC at p=quarantine or p=reject to be honored.

Why this matters

Security gaps expose your site and users to attacks, eroding trust.

B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
C
Known vulnerability matches
Action
8 known vulnerability match(es) against detected tech
REVIEW

Known Vulnerabilities

LibraryVersionSeveritySummaryFixed In
jQuery1.6.2mediumXSS with location.hash1.6.3
jQuery1.6.2mediumSelector interpreted as HTML1.9.0b1
jQuery1.6.2medium3rd party CORS request may execute1.12.0
jQuery1.6.2mediumjQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution3.4.0
jQuery1.6.2mediumRegex in its jQuery.htmlPrefilter sometimes may introduce XSS3.5.0
jQuery1.6.2mediumpassing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.3.5.0
jQuery1.6.2mediumVersions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser. ## Recommendation Upgrade to version 1.9.0 or later.1.9.0
jQuery1.6.2lowjQuery 1.x and 2.x are End-of-Life and no longer receiving security updates2.999.999
B
Transport Security
HTTP/3, HSTS, and TLS version analysis
REVIEW
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Warning::
Missing Strict-Transport-Security header
HSTS tells browsers to only use HTTPS, preventing SSL stripping attacks.
A+
TLS & Certificates
TLS 1.2, 7 checks passed
PASS
TLS 1.2, 7 checks passed
Info::
TLS 1.2 is used
Got: TLS 1.2
Info::
TLS 1.3 is not negotiated
TLS 1.3 offers improved performance and security. Consider enabling it.
Got: TLS 1.2
Info::
Strong cipher suite is used
Got: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
OCSP stapling not enabled
Without stapling, the browser performs a separate OCSP roundtrip on first connection -- adding latency and leaking the visited host to the CA. Enable OCSP stapling on your TLS server.
Info::
Certificate is valid (expires in 36 days)
Got: 2026-08-16T10:16:24Z
Info::
Certificate chain has 2 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 2 domain(s)
Got: *.pornbox.com, pornbox.com
Info::
Certificate is issued by a trusted CA
Got: CN=R12,O=Let's Encrypt,C=US

TLS 1.3 offers improved performance and security. Consider enabling it.

Why this matters

TLS 1.3 not in use — connection falls back to 1.2 and pays the extra round-trip.

Learn more

Most clients prefer TLS 1.3 if both sides support it. If your server has TLS 1.3 enabled but it's not being negotiated, check for a downgrade-attack mitigation issue or a misconfigured cipher list. nginx ≥ 1.13.0 and OpenSSL ≥ 1.1.1 support TLS 1.3.

Source: RFC 8446 / Mozilla SSL Config

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Without stapling, the browser performs a separate OCSP roundtrip on first connection -- adding latency and leaking the visited host to the CA. Enable OCSP stapling on your TLS server.

Why this matters

Without OCSP stapling, every first-time visitor pays an extra OCSP roundtrip — and the CA learns who's visiting your site.

Learn more

OCSP stapling has the server fetch its own revocation status from the CA and attach the signed response to the TLS handshake. Without it, browsers contact the CA directly: extra latency for the user and a privacy leak (the CA sees who connected). Enable ssl_stapling on (nginx) / SSLUseStapling On (Apache) / OCSPStapling = on (Caddy auto-enables).

Source: RFC 6961 / Mozilla Server-Side TLS guide

Connection
Protocol
TLS 1.2
Cipher Suite
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=pornbox.comIssuer CN=R12,O=Let's Encrypt,C=USValid 2026-05-18T10:16:25Z → 2026-08-16T10:16:24ZExpires in 36 days SANs *.pornbox.com, pornbox.comSignature SHA256-RSASerial 6e3ff70c7e12016c59c587e0b67659adc3a
Intermediate (CA Certificate)
Subject CN=R12,O=Let's Encrypt,C=USIssuer CN=ISRG Root X1,O=Internet Security Research Group,C=USValid 2024-03-13T00:00:00Z → 2027-03-12T23:59:59ZExpires in 245 days Signature SHA256-RSASerial c212324b70a9b49171dc40f7e285263c
A+
Cookie Security
No cookies set — no cookie security risks
PASS
No cookies set — no cookie security risks
Info::
No cookies set — no cookie security risks

No cookies detected — no cookie security risks to report.

A+
Cross-Origin Tab Safety
No new-tab links found -- no tabnabbing surface
PASS
No new-tab links found -- no tabnabbing surface
Info::
No new-tab links present
A+
CSP Inline-Style Readiness
No inline style attributes -- strict CSP is feasible
PASS
No inline style attributes -- strict CSP is feasible
Info::
No inline style attributes detected
A+
Bot Challenge Detection
Scan reached real page content (no bot-protection interstitial)
PASS
Scan reached real page content (no bot-protection interstitial)
Info::
No bot-protection interstitial detected -- the rest of the report reflects the real page
A+
Soft-404 Detection
No page title or headings captured -- soft-404 check is N/A
PASS
No page title or headings captured -- soft-404 check is N/A
Info::
No page title or headings captured -- soft-404 check is N/A
A+
Geo-Restriction Detection
No geo-restriction signals detected -- scan reached the page from an allowed region
PASS
No geo-restriction signals detected -- scan reached the page from an allowed region
Info::
No geo-restriction detected
A+
Maintenance Mode Detection
No maintenance-mode signals detected -- scan reached a normal page
PASS
No maintenance-mode signals detected -- scan reached a normal page
Info::
No maintenance-mode signals detected
A+
CORS Depth
No CORS response headers -- the resource is same-origin-only by browser default
PASS
No CORS response headers -- the resource is same-origin-only by browser default
Info::
No CORS response headers -- the resource is same-origin-only by browser default
A+
Referrer-Policy Strictness
Referrer-Policy is `no-referrer` (strictest -- no Referer header sent at all)
PASS
Referrer-Policy is `no-referrer` (strictest -- no Referer header sent at all)
Info::
Referrer-Policy: `no-referrer` -- strictest -- no Referer header sent at all
The strictest setting: no `Referer` header is ever sent. Maximum privacy, but breaks referrer-based analytics and any cross-origin auth flow that relies on the Referer header. Use only when the page handles no referrer-dependent flows.
Got: no-referrer
A+
Source Map Exposure
Source-map probe didn't run on this scan
PASS
Source-map probe didn't run on this scan
Info::
Source-map probe didn't run on this scan
A+
HTML Version Disclosure
No software-version disclosures in HTML
PASS
No software-version disclosures in HTML
Info::
No software-version disclosures in HTML
A+
Open Redirect Surface
No redirect-shaped query parameters in DOM links
PASS
No redirect-shaped query parameters in DOM links
Info::
No redirect-shaped query parameters in DOM links
A+
Auth Security
Page is not a login form -- auth-security checks are N/A
PASS
Page is not a login form -- auth-security checks are N/A
Info::
Page does not appear to be a login form
A+
Subdomain Inventory Exposure
No risky subdomain names in certificate SANs
PASS
No risky subdomain names in certificate SANs
Info::
No risky subdomain names in certificate SANs
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt ExposedSecurity PolicyInfo
/package.json Not founddependency-manifest
/composer.json Not founddependency-manifest
/Gemfile Not founddependency-manifest
/Gemfile.lock Not founddependency-manifest
/requirements.txt Not founddependency-manifest
/pom.xml Not founddependency-manifest
/.gitlab-ci.yml Not foundci-config
/.travis.yml Not foundci-config
A+
API Surface
No API specs or GraphQL introspection found (probed 11 candidate path(s))
PASS
No API specs or GraphQL introspection found (probed 11 candidate path(s))
Info::
No API specs or GraphQL introspection found (probed 11 path(s))
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback