https://preply.com
Security
· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.SCORE
73
GRADE
C
FIX
3
REVIEW
4
PASS
5
INFO
0
Checks
125 PASS 4 REVIEW 3 FIX
DContent Security PolicyAction3 of 10 CSP checks passedFIX
Content Security Policy
Action3 of 10 CSP checks passed
3 of 10 CSP checks passed
Info::
Raw CSP policy
Got: default-src wss: data: blob: preply: chrome-extension: ms-appx-web: https: *.preply.com *.default.com *.intercom-messenger.com *.vitally-eu.io 'unsafe-inline' 'self'; img-src 'self' data: blob: https: preply: chrome-extension: ms-appx-web: *.preply.com neuvoo.ca; object-src 'self' *.preply.com tf-chat-images-prod.s3.amazonaws.com; block-all-mixed-content; script-src 'self' data: blob: *.preply.com preply.com cdn.jsdelivr.net www.googleadservices.com www.redditstatic.com analytics.tiktok.com js.zi-scripts.com tags.clickagy.com aorta.clickagy.com hemsync.clickagy.com hemsync.clickagy.com cdn.pdst.fm *.tvsquared.com *.onesignal.com onesignal.com snap.licdn.com px.ads.linkedin.com js.appboycdn.com app.link *.sumome.com www.gstatic.com *.doubleclick.net *.sumo.com *.branch.io *.google.com *.bing.com *.opentok.com *.pubnub.com *.pndsn.com *.pubnub.net *.pubnubapi.com *.hotjar.com *.hotjar.io *.facebook.net www.googletagmanager.com *.google-analytics.com *.intercomcdn.com *.intercom.io *.stripe.com *.googleapis.com *.youtube.com *.ytimg.com *.ampproject.org *.googlesyndication.com *.trustpilot.com www.dwin1.com www.awin1.com www.zenaps.com the.sciencebehindecommerce.com amplify.outbrain.com tr.outbrain.com 'unsafe-eval' 'unsafe-inline' api.braintreegateway.com assets.braintreegateway.com client-analytics.braintreegateway.com js.braintreegateway.com *.braintree-api.com *.paypal.com *.payrails.io pay.google.com songbird.cardinalcommerce.com sc-static.net player.vimeo.com ajax.cloudflare.com preply.us1.list-manage.com cdn.cookielaw.org geolocation.onetrust.com cdn-cookieyes.com www.clickcease.com click.appcast.io *.clarity.ms tags.crwdcntrl.net *.hs-scripts.com *.hubspot.com *.hscollectedforms.net *.hsadspixel.net *.hs-banner.com *.hs-analytics.net *.hsforms.com *.hsleadflows.net *.usemessages.com init.blackcrow.ai unpkg.com *.hscta.net static.learncube.net *.ubembed.com cdn.plot.ly *.agora.io *.cdn-apple.com js.skyflow.com *.typeform.com www.datadoghq-browser-agent.com *.default.com *.usercentrics.eu risk.checkout.com fpjs.checkout.com fpjscache.checkout.com fpjsworker.checkout.com ddwl4m2hdecbv.cloudfront.net adora-cdn.com *.adora-cdn.com jobs.ashbyhq.com *.sc-static.net *.snapchat.com *.tapad.com *.axon.ai *.albss.com *.applovin.com cdn.vitally.io *.vitally-eu.io wcs.naver.net wcs.naver.com *.pstatic.net *.openai.com; frame-ancestors 'self' www.upward.net; report-uri https://sentry-ext.preply.org/api/48/security/?sentry_key=f9d940af8b044614932c632dd13ccad6&sentry_environment=production
Info::
default-src directive is set
Got: default-src wss: data: blob: preply: chrome-extension: ms-appx-web: https: *.preply.com *.default.com *.intercom-messenger.com *.vitally-eu.io 'unsafe-inline' 'self'
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'self' data: blob: *.preply.com preply.com cdn.jsdelivr.net www.googleadservices.com www.redditstatic.com analytics.tiktok.com js.zi-scripts.com tags.clickagy.com aorta.clickagy.com hemsync.clickagy.com hemsync.clickagy.com cdn.pdst.fm *.tvsquared.com *.onesignal.com onesignal.com snap.licdn.com px.ads.linkedin.com js.appboycdn.com app.link *.sumome.com www.gstatic.com *.doubleclick.net *.sumo.com *.branch.io *.google.com *.bing.com *.opentok.com *.pubnub.com *.pndsn.com *.pubnub.net *.pubnubapi.com *.hotjar.com *.hotjar.io *.facebook.net www.googletagmanager.com *.google-analytics.com *.intercomcdn.com *.intercom.io *.stripe.com *.googleapis.com *.youtube.com *.ytimg.com *.ampproject.org *.googlesyndication.com *.trustpilot.com www.dwin1.com www.awin1.com www.zenaps.com the.sciencebehindecommerce.com amplify.outbrain.com tr.outbrain.com 'unsafe-eval' 'unsafe-inline' api.braintreegateway.com assets.braintreegateway.com client-analytics.braintreegateway.com js.braintreegateway.com *.braintree-api.com *.paypal.com *.payrails.io pay.google.com songbird.cardinalcommerce.com sc-static.net player.vimeo.com ajax.cloudflare.com preply.us1.list-manage.com cdn.cookielaw.org geolocation.onetrust.com cdn-cookieyes.com www.clickcease.com click.appcast.io *.clarity.ms tags.crwdcntrl.net *.hs-scripts.com *.hubspot.com *.hscollectedforms.net *.hsadspixel.net *.hs-banner.com *.hs-analytics.net *.hsforms.com *.hsleadflows.net *.usemessages.com init.blackcrow.ai unpkg.com *.hscta.net static.learncube.net *.ubembed.com cdn.plot.ly *.agora.io *.cdn-apple.com js.skyflow.com *.typeform.com www.datadoghq-browser-agent.com *.default.com *.usercentrics.eu risk.checkout.com fpjs.checkout.com fpjscache.checkout.com fpjsworker.checkout.com ddwl4m2hdecbv.cloudfront.net adora-cdn.com *.adora-cdn.com jobs.ashbyhq.com *.sc-static.net *.snapchat.com *.tapad.com *.axon.ai *.albss.com *.applovin.com cdn.vitally.io *.vitally-eu.io wcs.naver.net wcs.naver.com *.pstatic.net *.openai.com
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'self' data: blob: *.preply.com preply.com cdn.jsdelivr.net www.googleadservices.com www.redditstatic.com analytics.tiktok.com js.zi-scripts.com tags.clickagy.com aorta.clickagy.com hemsync.clickagy.com hemsync.clickagy.com cdn.pdst.fm *.tvsquared.com *.onesignal.com onesignal.com snap.licdn.com px.ads.linkedin.com js.appboycdn.com app.link *.sumome.com www.gstatic.com *.doubleclick.net *.sumo.com *.branch.io *.google.com *.bing.com *.opentok.com *.pubnub.com *.pndsn.com *.pubnub.net *.pubnubapi.com *.hotjar.com *.hotjar.io *.facebook.net www.googletagmanager.com *.google-analytics.com *.intercomcdn.com *.intercom.io *.stripe.com *.googleapis.com *.youtube.com *.ytimg.com *.ampproject.org *.googlesyndication.com *.trustpilot.com www.dwin1.com www.awin1.com www.zenaps.com the.sciencebehindecommerce.com amplify.outbrain.com tr.outbrain.com 'unsafe-eval' 'unsafe-inline' api.braintreegateway.com assets.braintreegateway.com client-analytics.braintreegateway.com js.braintreegateway.com *.braintree-api.com *.paypal.com *.payrails.io pay.google.com songbird.cardinalcommerce.com sc-static.net player.vimeo.com ajax.cloudflare.com preply.us1.list-manage.com cdn.cookielaw.org geolocation.onetrust.com cdn-cookieyes.com www.clickcease.com click.appcast.io *.clarity.ms tags.crwdcntrl.net *.hs-scripts.com *.hubspot.com *.hscollectedforms.net *.hsadspixel.net *.hs-banner.com *.hs-analytics.net *.hsforms.com *.hsleadflows.net *.usemessages.com init.blackcrow.ai unpkg.com *.hscta.net static.learncube.net *.ubembed.com cdn.plot.ly *.agora.io *.cdn-apple.com js.skyflow.com *.typeform.com www.datadoghq-browser-agent.com *.default.com *.usercentrics.eu risk.checkout.com fpjs.checkout.com fpjscache.checkout.com fpjsworker.checkout.com ddwl4m2hdecbv.cloudfront.net adora-cdn.com *.adora-cdn.com jobs.ashbyhq.com *.sc-static.net *.snapchat.com *.tapad.com *.axon.ai *.albss.com *.applovin.com cdn.vitally.io *.vitally-eu.io wcs.naver.net wcs.naver.com *.pstatic.net *.openai.com
Info::
No wildcard in script source
Warning::
object-src allows plugin content
Set object-src to 'none' to prevent Flash/Java plugin exploits.
Got: object-src 'self' *.preply.com tf-chat-images-prod.s3.amazonaws.com Expected: object-src 'none'
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors 'self' www.upward.net
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is not set
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected: upgrade-insecure-requests
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Why this matters
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Why this matters
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
Set object-src to 'none' to prevent Flash/Java plugin exploits.
Expected:
object-src 'none'Why this matters
object-src open in CSP allows Flash/PDF/plugin embedding — a now-deprecated attack vector that should be explicitly blocked.
Learn more ▾ ▴
object-src controls <object>, <embed>, and <applet> elements. Modern sites have no need for plugins; setting `object-src 'none'` blocks an entire class of legacy XSS vectors at zero cost. If your CSP missed it, add the directive.
Source: MDN CSP
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected:
base-uri 'self'Why this matters
Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.
Learn more ▾ ▴
A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.
Source: MDN CSP
form-action restricts where forms can submit data, preventing form hijacking.
Expected:
form-action 'self'Why this matters
Security gaps expose your site and users to attacks, eroding trust.
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
Expected:
upgrade-insecure-requestsWhy this matters
Without upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.
Learn more ▾ ▴
Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.
Source: MDN CSP
Parsed Policy
default-src wss:data:blob:preply:chrome-extension:ms-appx-web:https:*.preply.com*.default.com*.intercom-messenger.com*.vitally-eu.io'unsafe-inline''self'
img-src 'self'data:blob:https:preply:chrome-extension:ms-appx-web:*.preply.comneuvoo.ca
object-src 'self'*.preply.comtf-chat-images-prod.s3.amazonaws.com
block-all-mixed-content
script-src 'self'data:blob:*.preply.compreply.comcdn.jsdelivr.netwww.googleadservices.comwww.redditstatic.comanalytics.tiktok.comjs.zi-scripts.comtags.clickagy.comaorta.clickagy.comhemsync.clickagy.comhemsync.clickagy.comcdn.pdst.fm*.tvsquared.com*.onesignal.comonesignal.comsnap.licdn.compx.ads.linkedin.comjs.appboycdn.comapp.link*.sumome.comwww.gstatic.com*.doubleclick.net*.sumo.com*.branch.io*.google.com*.bing.com*.opentok.com*.pubnub.com*.pndsn.com*.pubnub.net*.pubnubapi.com*.hotjar.com*.hotjar.io*.facebook.netwww.googletagmanager.com*.google-analytics.com*.intercomcdn.com*.intercom.io*.stripe.com*.googleapis.com*.youtube.com*.ytimg.com*.ampproject.org*.googlesyndication.com*.trustpilot.comwww.dwin1.comwww.awin1.comwww.zenaps.comthe.sciencebehindecommerce.comamplify.outbrain.comtr.outbrain.com'unsafe-eval''unsafe-inline'api.braintreegateway.comassets.braintreegateway.comclient-analytics.braintreegateway.comjs.braintreegateway.com*.braintree-api.com*.paypal.com*.payrails.iopay.google.comsongbird.cardinalcommerce.comsc-static.netplayer.vimeo.comajax.cloudflare.compreply.us1.list-manage.comcdn.cookielaw.orggeolocation.onetrust.comcdn-cookieyes.comwww.clickcease.comclick.appcast.io*.clarity.mstags.crwdcntrl.net*.hs-scripts.com*.hubspot.com*.hscollectedforms.net*.hsadspixel.net*.hs-banner.com*.hs-analytics.net*.hsforms.com*.hsleadflows.net*.usemessages.cominit.blackcrow.aiunpkg.com*.hscta.netstatic.learncube.net*.ubembed.comcdn.plot.ly*.agora.io*.cdn-apple.comjs.skyflow.com*.typeform.comwww.datadoghq-browser-agent.com*.default.com*.usercentrics.eurisk.checkout.comfpjs.checkout.comfpjscache.checkout.comfpjsworker.checkout.comddwl4m2hdecbv.cloudfront.netadora-cdn.com*.adora-cdn.comjobs.ashbyhq.com*.sc-static.net*.snapchat.com*.tapad.com*.axon.ai*.albss.com*.applovin.comcdn.vitally.io*.vitally-eu.iowcs.naver.netwcs.naver.com*.pstatic.net*.openai.com
frame-ancestors 'self'www.upward.net
report-uri https://sentry-ext.preply.org/api/48/security/?sentry_key=f9d940af8b044614932c632dd13ccad6&sentry_environment=production
FSubresource IntegrityAction0 of 30 external resources have SRIFIX
Subresource Integrity
Action0 of 30 external resources have SRI
0 of 30 external resources have SRI
Warning::
External link from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/css/a0d36eb0dd4b83db.css
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/polyfills-42372ed130431b0a.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/webpack-7ef43192e514f60e.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/framework-14b53c77301a6553.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/main-367989e0b1b8d3ce.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/pages/_app-a6625414c9ed085d.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/54413-d0812a8e7d37e50a.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/93575-53900eb53af250e7.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/68174-a2db8d1f561f3295.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/75004-4913ce3d1b524b96.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/46731-3d8dfd682488300b.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/16040-70e7432f5961a3fa.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/95367-be44f6c62638ccbe.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/95059-5ce754634a0d9520.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/32464-131eadd95000a19c.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/64122-7aac7e3a1aad00af.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/40414-e345e40a47c5e7ca.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/87385-a52e3bec05c72036.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/20152-68853c703f691412.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/13017-7767801e44373c8d.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/28151-78b49faead823c40.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/3925-4f52f72f00bc3e52.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/96879-9a7e2b3e4bbf3e0f.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/82983-c98f5937cb5c14cb.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/10142-b7dae0a81f62ac63.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/84711-6b23d87df088f713.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/72455-d95780cf7fd93ee3.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/chunks/pages/home-b677899bc81f7f71.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/3HR-VTD3usRfM489z1_Jr/_buildManifest.js
Warning::
External script from static.preply.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://static.preply.com/static/ssr/_next/static/3HR-VTD3usRfM489z1_Jr/_ssgManifest.js
SRI Coverage 0 / 30 of external resources have integrity hashes
| Tag | Domain | Integrity |
|---|---|---|
| <link> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
| <script> | static.preply.com | ✗ Missing |
DPermissions-PolicyActionNo header setFIX
Permissions-Policy
ActionNo header set
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.
No Permissions-Policy header set.
Without this header, embedded iframes can request access to sensitive device features.
Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
BSecurity Headers7 of 10 headers properly configuredREVIEW
Security Headers
7 of 10 headers properly configured
7 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured
Got: max-age=63072000; includeSubDomains; preload
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: sameorigin
Info::
Referrer-Policy is properly configured
Got: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: default-src wss: data: blob: preply: chrome-extension: ms-appx-web: https: *.pre…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: cloudflare
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected:
geolocation=(), camera=(), microphone=()Why this matters
Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.
Learn more ▾ ▴
By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.
Source: MDN / W3C
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected:
same-originWhy this matters
COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected:
require-corpWhy this matters
COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
BCORS ConfigurationNo CORS headersREVIEW
CORS Configuration
No CORS headers
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration ✓ Secure
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
Bsecurity.txtPublished with 1 contact(s)REVIEW
security.txt
Published with 1 contact(s)
security.txt
Contact: security@preply.com
A+TLS & CertificatesTLS 1.3, 7 checks passedPASS
TLS & Certificates
TLS 1.3, 7 checks passed
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_CHACHA20_POLY1305_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 67 days)
Got: 2026-06-29T09:26:16Z
Info::
Certificate chain has 3 certificates
Info::
Certificate uses modern signature algorithm
Got: ECDSA-SHA256
Info::
Certificate covers 2 domain(s)
Got: preply.com, *.preply.com
Info::
Certificate is issued by a trusted CA
Got: CN=WE1,O=Google Trust Services,C=US
HTTP/2 provides multiplexing and header compression for better performance.
Why this matters
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Connection
Protocol
TLS 1.3
Cipher Suite
TLS_CHACHA20_POLY1305_SHA256
HTTP Version
HTTP/1.1
Certificate Chain
Leaf Certificate
Subject CN=preply.comIssuer CN=WE1,O=Google Trust Services,C=USValid 2026-03-31T08:26:20Z → 2026-06-29T09:26:16ZExpires in 67 days SANs preply.com, *.preply.comSignature ECDSA-SHA256Serial 9af03df17fd045200ee190a2cfa98dba
Intermediate (CA Certificate)
Subject CN=WE1,O=Google Trust Services,C=USIssuer CN=GTS Root R4,O=Google Trust Services LLC,C=USValid 2023-12-13T09:00:00Z → 2029-02-20T14:00:00ZExpires in 1034 days Signature ECDSA-SHA384Serial 7ff31977972c224a76155d13b6d685e3
Intermediate (CA Certificate)
Subject CN=GTS Root R4,O=Google Trust Services LLC,C=USIssuer CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEValid 2023-11-15T03:43:21Z → 2028-01-28T00:00:42ZExpires in 645 days Signature SHA256-RSASerial 7fe530bf331343bedd821610493d8a1b
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
JS Library Vulnerabilities
No known vulnerabilities
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
Information Leakage
No exposures
No exposures
Info::
security.txt is present — good practice
Info::
No sensitive files exposed
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✗ Exposed | Security Policy | Info |
A+Email SecurityDMARC: rejectPASS
Email Security
DMARC: reject
DMARC: reject
Info::
DMARC policy is reject — strongest protection
DMARC
Policy reject — strongest protection Record v=DMARC1;p=reject;rua=mailto:dmarc@preply.com;ruf=mailto:dmarc@preply.com;
A+Transport SecurityHTTP/3, HSTS, and TLS version analysisPASS
Transport Security
HTTP/3, HSTS, and TLS version analysis
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) supported
The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.
Info::
HSTS enabled (includeSubDomains, preload)
Info::
HSTS preload enabled
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.