Skip to content
https://selectel.ru

Security

· 12 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
65
GRADE
D
FIX
5
REVIEW
1
PASS
6
INFO
0
Checks
12
6 PASS 1 REVIEW 5 FIX
D
Content Security Policy
Action
4 of 10 CSP checks passed
FIX
4 of 10 CSP checks passed
Info::
Raw CSP policy
Got: connect-src 'self' *.maps.yandex.net api-maps.yandex.ru api.selectel.ru hog.selectel.ru https://chatwoot.selectel.ru wss://chatwoot.selectel.ru https://statuspal.io/api/v2/status_pages/selectel/summary https://*.mindbox.ru https://selectel.ru https://cdn.selectel.ru https://top-fwz1.mail.ru https://web.popmechanic.ru https://metrics.selectel.ru leads.selectel.ru mc.yandex.ru suggest-maps.yandex.ru wss://api.selectel.ru wss://ws.selectel.ru www.youtube.com https://yulixr.ru/ https://hooks.zapier.com/hooks/catch/11509819/ https://hooks.zapier.com/hooks/catch/12416931/ https://script.google.com/a/macros/selectel.com/s/AKfycbzM4er3RoKbPw3cQALGtakLQ7xfTtUk8PETDoXQyYh6kiCLnhu1oO4iCy2CuhT38cGrCA/exec https://files.selectel.ru https://telegram.org/pxl https://core.service.elfsight.com; default-src 'none'; font-src 'self' data: https://cdn.selectel.ru https://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.net; frame-ancestors 'self' my.selectel.ru promo.selectel.ru go.teachbase.ru learn.selectel.org webvisor.com metrika.yandex.ru; frame-src 'self' api-maps.yandex.ru calc.selectel.ru https://chatwoot.selectel.ru googleads.g.doubleclick.net https://forms.amocrm.ru/ https://player.vimeo.com/ https://vk.com/ https://vk.ru www.google.com www.google.ru www.youtube.com https://rutube.ru/ https://kinescope.io/; img-src https: data: blob:; manifest-src 'self'; media-src 'self' https://chatwoot.selectel.ru https://cdn.selectel.ru https://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.net https://files.selectel.ru; object-src 'self' blob:; report-uri https://relay.selectel.ru/api/87/security/?sentry_key=33110db9255441e5b312279003c189b1 https://relay.selectel.ru/api/20/csp-report/?sentry_key=7af12a7683624269a0cab11188e3d86e; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.maps.yandex.net api-maps.yandex.ru cdn.ampproject.org hog.selectel.ru https://chatwoot.selectel.ru https://cdn.selectel.ru https://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.net https://cse.google.com/adsense/search/async-ads.js https://cse.google.com/cse.js https://cse.google.com/cse/element/v1 https://s.ytimg.com https://static.popmechanic.ru https://top-fwz1.mail.ru https://vk.com https://vk.ru https://www.google.com https://metrics.selectel.ru mc.yandex.ru https://*.mindbox.ru https://widgets.mango-office.ru https://dct.mango-office.ru selectel.ru suggest-maps.yandex.ru www.google.com www.googleadservices.com www.gstatic.com www.youtube.com yastatic.net https://telegram.org/js/pixel.js https://elfsightcdn.com https://universe-static.elfsightcdn.com; style-src 'self' 'unsafe-inline' https://cdn.selectel.ru/ https://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.net https://chatwoot.selectel.ru https://fonts.googleapis.com https://static.popmechanic.ru https://www.google.com/cse/static/element/ https://www.google.com/cse/static/style/look/v4/espresso.css https://*.mindbox.ru; upgrade-insecure-requests;
Info::
default-src directive is set
Got: default-src 'none'
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src 'self' 'unsafe-eval' 'unsafe-inline' *.maps.yandex.net api-maps.yandex.ru cdn.ampproject.org hog.selectel.ru https://chatwoot.selectel.ru https://cdn.selectel.ru https://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.net https://cse.google.com/adsense/search/async-ads.js https://cse.google.com/cse.js https://cse.google.com/cse/element/v1 https://s.ytimg.com https://static.popmechanic.ru https://top-fwz1.mail.ru https://vk.com https://vk.ru https://www.google.com https://metrics.selectel.ru mc.yandex.ru https://*.mindbox.ru https://widgets.mango-office.ru https://dct.mango-office.ru selectel.ru suggest-maps.yandex.ru www.google.com www.googleadservices.com www.gstatic.com www.youtube.com yastatic.net https://telegram.org/js/pixel.js https://elfsightcdn.com https://universe-static.elfsightcdn.com
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src 'self' 'unsafe-eval' 'unsafe-inline' *.maps.yandex.net api-maps.yandex.ru cdn.ampproject.org hog.selectel.ru https://chatwoot.selectel.ru https://cdn.selectel.ru https://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.net https://cse.google.com/adsense/search/async-ads.js https://cse.google.com/cse.js https://cse.google.com/cse/element/v1 https://s.ytimg.com https://static.popmechanic.ru https://top-fwz1.mail.ru https://vk.com https://vk.ru https://www.google.com https://metrics.selectel.ru mc.yandex.ru https://*.mindbox.ru https://widgets.mango-office.ru https://dct.mango-office.ru selectel.ru suggest-maps.yandex.ru www.google.com www.googleadservices.com www.gstatic.com www.youtube.com yastatic.net https://telegram.org/js/pixel.js https://elfsightcdn.com https://universe-static.elfsightcdn.com
Info::
No wildcard in script source
Warning::
object-src allows plugin content
Set object-src to 'none' to prevent Flash/Java plugin exploits.
Got: object-src 'self' blob: Expected: object-src 'none'
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors 'self' my.selectel.ru promo.selectel.ru go.teachbase.ru learn.selectel.org webvisor.com metrika.yandex.ru
Warning::
form-action directive is missing
form-action restricts where forms can submit data, preventing form hijacking.
Expected: form-action 'self'
Info::
upgrade-insecure-requests is enabled

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

Set object-src to 'none' to prevent Flash/Java plugin exploits.

Expected: object-src 'none'
Why this matters

object-src open in CSP allows Flash/PDF/plugin embedding — a now-deprecated attack vector that should be explicitly blocked.

Learn more

object-src controls <object>, <embed>, and <applet> elements. Modern sites have no need for plugins; setting `object-src 'none'` blocks an entire class of legacy XSS vectors at zero cost. If your CSP missed it, add the directive.

Source: MDN CSP

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'
Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

form-action restricts where forms can submit data, preventing form hijacking.

Expected: form-action 'self'
Why this matters

Security gaps expose your site and users to attacks, eroding trust.

Parsed Policy

connect-src 'self'*.maps.yandex.netapi-maps.yandex.ruapi.selectel.ruhog.selectel.ruhttps://chatwoot.selectel.ruwss://chatwoot.selectel.ruhttps://statuspal.io/api/v2/status_pages/selectel/summaryhttps://*.mindbox.ruhttps://selectel.ruhttps://cdn.selectel.ruhttps://top-fwz1.mail.ruhttps://web.popmechanic.ruhttps://metrics.selectel.ruleads.selectel.rumc.yandex.rusuggest-maps.yandex.ruwss://api.selectel.ruwss://ws.selectel.ruwww.youtube.comhttps://yulixr.ru/https://hooks.zapier.com/hooks/catch/11509819/https://hooks.zapier.com/hooks/catch/12416931/https://script.google.com/a/macros/selectel.com/s/AKfycbzM4er3RoKbPw3cQALGtakLQ7xfTtUk8PETDoXQyYh6kiCLnhu1oO4iCy2CuhT38cGrCA/exechttps://files.selectel.ruhttps://telegram.org/pxlhttps://core.service.elfsight.com
default-src 'none'
font-src 'self'data:https://cdn.selectel.ruhttps://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.net
frame-ancestors 'self'my.selectel.rupromo.selectel.rugo.teachbase.rulearn.selectel.orgwebvisor.commetrika.yandex.ru
frame-src 'self'api-maps.yandex.rucalc.selectel.ruhttps://chatwoot.selectel.rugoogleads.g.doubleclick.nethttps://forms.amocrm.ru/https://player.vimeo.com/https://vk.com/https://vk.ruwww.google.comwww.google.ruwww.youtube.comhttps://rutube.ru/https://kinescope.io/
img-src https:data:blob:
manifest-src 'self'
media-src 'self'https://chatwoot.selectel.ruhttps://cdn.selectel.ruhttps://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.nethttps://files.selectel.ru
object-src 'self'blob:
report-uri https://relay.selectel.ru/api/87/security/?sentry_key=33110db9255441e5b312279003c189b1https://relay.selectel.ru/api/20/csp-report/?sentry_key=7af12a7683624269a0cab11188e3d86e
script-src 'self''unsafe-eval''unsafe-inline'*.maps.yandex.netapi-maps.yandex.rucdn.ampproject.orghog.selectel.ruhttps://chatwoot.selectel.ruhttps://cdn.selectel.ruhttps://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.nethttps://cse.google.com/adsense/search/async-ads.jshttps://cse.google.com/cse.jshttps://cse.google.com/cse/element/v1https://s.ytimg.comhttps://static.popmechanic.ruhttps://top-fwz1.mail.ruhttps://vk.comhttps://vk.ruhttps://www.google.comhttps://metrics.selectel.rumc.yandex.ruhttps://*.mindbox.ruhttps://widgets.mango-office.ruhttps://dct.mango-office.ruselectel.rusuggest-maps.yandex.ruwww.google.comwww.googleadservices.comwww.gstatic.comwww.youtube.comyastatic.nethttps://telegram.org/js/pixel.jshttps://elfsightcdn.comhttps://universe-static.elfsightcdn.com
style-src 'self''unsafe-inline'https://cdn.selectel.ru/https://6f3bf64a-14d1-4b68-9202-2a000ca072b9.selcdn.nethttps://chatwoot.selectel.ruhttps://fonts.googleapis.comhttps://static.popmechanic.ruhttps://www.google.com/cse/static/element/https://www.google.com/cse/static/style/look/v4/espresso.csshttps://*.mindbox.ru
upgrade-insecure-requests
F
Subresource Integrity
Action
0 of 36 external resources have SRI
FIX
0 of 36 external resources have SRI
Warning::
External script from widgets.mango-office.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //widgets.mango-office.ru/widgets/mango.js
Warning::
External script from mc.yandex.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://mc.yandex.ru/metrika/tag.js
Warning::
External script from telegram.org lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://telegram.org/js/pixel.js
Warning::
External script from top-fwz1.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://top-fwz1.mail.ru/js/code.js
Warning::
External script from top-fwz1.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://top-fwz1.mail.ru/js/code.js
Warning::
External script from metrics.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://metrics.selectel.ru/js/container_MIheIjCo.js
Warning::
External script from api.mindbox.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://api.mindbox.ru/scripts/v1/tracker.js
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/entry.CIQwED_f.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/swiper-vue.DCASaf05.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/default.DfE_OiS0.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/LayoutUpButtonScroll.BhSSlfqe.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/UiBurgerButton.JnRuAb03.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/UiCustomInput.D9wC7c0c.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/UiSkeleton.B6VYkjIz.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/UiAccordion.Cym7muf3.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/UiSocialButton.II_-y3AA.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/UiCloseButton.CEO8lyj2.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/FormRegistrationRu.Cv8gDds4.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/UiCheckbox.B0hrfF7b.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/useRegistrationForm.Z44wlC9f.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/CardGetInTouch.t5zHKlcu.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/ContentCallToRegistration.BhiE-tLD.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/ActionStepsImages.CQAC-BwI.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/ImageCallToAction.C79EI6eT.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/ContentSupport.CtxCDhrE.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/ContentAcademyCard.B0E5y2zu.css
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/ContentPagesAboutCompanyClients.60YOM1rZ.css
Warning::
External script from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/DwojNK-9.js
Warning::
External link from cdn.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://cdn.selectel.ru/site_v3/_nuxt_v3/index.BFXeGPha.css
Warning::
External script from vk.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://vk.com/js/api/openapi.js?161
Warning::
External script from chatwoot.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://chatwoot.selectel.ru/packs/js/sdk.js
Warning::
External script from dct.mango-office.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //dct.mango-office.ru/34823/settings?callback=mgo1497193466178
Warning::
External script from dct.mango-office.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //dct.mango-office.ru/track/times?wid=34823&beforeLoadScript=1309.8000001907349&loadScript=275.80000019073486&beforeLoadNumber=65.39999961853027&loadNumber=275.6000003814697&showNumber=0.5&sid=wokvtdlm3511001t6l49&uid=dpL6KiXoMRCivkknLGrT&title=IT-%D0%B8%D0%BD%D1%84%D1%80%D0%B0%D1%81%D1%82%D1%80%D1%83%D0%BA%D1%82%D1%83%D1%80%D0%B0%20%D0%B4%D0%BB%D1%8F%20%D0%B1%D0%B8%D0%B7%D0%BD%D0%B5%D1%81%D0%B0%20%D0%BE%D1%82%20%D0%BE%D0%B1%D0%BB%D0%B0%D1%87%D0%BD%D0%BE%D0%B3%D0%BE%20%D0%BF%D1%80%D0%BE%D0%B2%D0%B0%D0%B9%D0%B4%D0%B5%D1%80%D0%B0%20Selectel%2C%20%D0%B0%D1%80%D0%B5%D0%BD%D0%B4%D0%B0%20IaaS%20%D0%B8%20PaaS&referrer=&nu=1&url=https%3A%2F%2Fselectel.ru%2F&callback=mgo696897768724
Warning::
External script from hog.selectel.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://hog.selectel.ru/static/recorder.js?v=1.68.1
Warning::
External script from privacy-cs.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://privacy-cs.mail.ru/static/sync-loader.js
Warning::
External script from top-fwz1.mail.ru lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://top-fwz1.mail.ru/js/dyn-goal-config.js?ids=3132958,3283284
SRI Coverage 0 / 36 of external resources have integrity hashes
TagDomainIntegrity
<script>widgets.mango-office.ru Missing
<script>mc.yandex.ru Missing
<script>telegram.org Missing
<script>top-fwz1.mail.ru Missing
<script>top-fwz1.mail.ru Missing
<script>metrics.selectel.ru Missing
<script>api.mindbox.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<script>cdn.selectel.ru Missing
<link>cdn.selectel.ru Missing
<script>vk.com Missing
<script>chatwoot.selectel.ru Missing
<script>dct.mango-office.ru Missing
<script>dct.mango-office.ru Missing
<script>hog.selectel.ru Missing
<script>privacy-cs.mail.ru Missing
<script>top-fwz1.mail.ru Missing
D
Permissions-Policy
Action
No header set
FIX
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
F
CORS Configuration
Action
Origin: *
FIX
Origin: *
Critical::
Access-Control-Allow-Origin: * with credentials — critical misconfiguration
Browsers block this, but it signals a server-side misconfiguration that may be exploitable.
Info::
Origin reflection not testable with a single request
Some servers reflect the request Origin header. This requires manual testing with a crafted Origin header.
CORS Configuration MISCONFIGURED
Allow-Origin *Allow-Credentials true

Wildcard origin with credentials is a security vulnerability.

Set Allow-Origin to a specific origin when using credentials.

HeaderValueStatus
Access-Control-Allow-Origin*
Access-Control-Allow-Credentialstrue
Access-Control-Allow-HeadersOrigin, X-Requested-With, Authorization, Content-Type, Accept, Access-Control-Allow-Credentials, DNT, X-CustomHeader, Keep-Alive, User-Agent, If-Modified-Since, Cache-Control, X-Token
Access-Control-Max-Age: 1728000

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
D
security.txt
Action
No /.well-known/security.txt published
FIX

security.txt

No security.txt found at /.well-known/security.txt

C
Security Headers
Action
5 of 10 headers properly configured
REVIEW
5 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured (consider adding preload)
Got: max-age=63072000; includeSubDomains
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Warning::
X-Frame-Options header is missing
This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.
Expected: DENY
Warning::
Referrer-Policy header is missing
Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.
Expected: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: connect-src 'self' *.maps.yandex.net api-maps.yandex.ru api.selectel.ru hog.sele…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is not present

This header prevents clickjacking by controlling who can embed your page in a frame. Set it to DENY or SAMEORIGIN.

Expected: DENY
Why this matters

Without frame protection, your site can be embedded in a hostile page and used for clickjacking.

Learn more

Clickjacking overlays your site under a transparent malicious page so users click invisible buttons. Setting X-Frame-Options: DENY (or a modern frame-ancestors CSP directive) blocks the embedding entirely. There's almost never a legitimate reason to allow it.

Source: OWASP / MDN

Controls how much referrer information is sent with requests. Set to 'strict-origin-when-cross-origin' or stricter.

Expected: strict-origin-when-cross-origin
Why this matters

Default browser behavior leaks full URLs (including query params and tokens) to every third-party resource — set a strict policy.

Learn more

Without a Referrer-Policy header, browsers send the full referring URL with images, scripts, and fonts loaded from third-party origins. URLs containing tokens, user IDs, or session params end up in third-party logs. Set `Referrer-Policy: strict-origin-when-cross-origin` (or stricter) to limit leakage.

Source: MDN / W3C

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

A+
TLS & Certificates
TLS 1.2, 7 checks passed
PASS
TLS 1.2, 7 checks passed
Info::
TLS 1.2 is used
Got: TLS 1.2
Info::
TLS 1.3 is not negotiated
TLS 1.3 offers improved performance and security. Consider enabling it.
Got: TLS 1.2
Info::
Strong cipher suite is used
Got: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 64 days)
Got: 2026-06-19T23:23:05Z
Info::
Certificate chain has 2 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 4 domain(s)
Got: api.selectel.ru, my.selectel.ru, selectel.ru, ws.selectel.ru
Info::
Certificate is issued by a trusted CA
Got: CN=R12,O=Let's Encrypt,C=US

TLS 1.3 offers improved performance and security. Consider enabling it.

Why this matters

TLS 1.3 not in use — connection falls back to 1.2 and pays the extra round-trip.

Learn more

Most clients prefer TLS 1.3 if both sides support it. If your server has TLS 1.3 enabled but it's not being negotiated, check for a downgrade-attack mitigation issue or a misconfigured cipher list. nginx ≥ 1.13.0 and OpenSSL ≥ 1.1.1 support TLS 1.3.

Source: RFC 8446 / Mozilla SSL Config

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.2
Cipher Suite
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=selectel.ruIssuer CN=R12,O=Let's Encrypt,C=USValid 2026-03-21T23:23:06Z → 2026-06-19T23:23:05ZExpires in 64 days SANs api.selectel.ru, my.selectel.ru, selectel.ru, ws.selectel.ruSignature SHA256-RSASerial 6317053bb0b04321920a19afade0d919d8b
Intermediate (CA Certificate)
Subject CN=R12,O=Let's Encrypt,C=USIssuer CN=ISRG Root X1,O=Internet Security Research Group,C=USValid 2024-03-13T00:00:00Z → 2027-03-12T23:59:59ZExpires in 330 days Signature SHA256-RSASerial c212324b70a9b49171dc40f7e285263c
A+
Cookie Security
1 cookies analyzed, 3 checks passed
PASS
1 cookies analyzed, 3 checks passed
Info::
Cookie 'hsid' has the Secure flag
Info::
Cookie 'hsid' has the HttpOnly flag
Info::
Cookie 'hsid' has SameSite=Lax
1 cookies analyzed
NameSecureHttpOnlySameSiteSizeIssues
hsidLax40 B
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
No security.txt found
Consider adding a security.txt at /.well-known/security.txt.
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt Not foundSecurity Policy
A
Email Security
DMARC: quarantine
PASS
DMARC: quarantine
Info::
DMARC policy is quarantine — good protection
DMARC
Policy quarantine — good protection Record v=DMARC1; p=quarantine; pct=100; sp=quarantine; rua=mailto:mail_reports@selectel.ru; ruf=mailto:mail_reports@selectel.ru; fo=1;
A
Transport Security
HTTP/3, HSTS, and TLS version analysis
PASS
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) not advertised
HTTP/3 eliminates head-of-line blocking. If your CDN supports it, consider enabling it.
Info::
HSTS enabled (includeSubDomains)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback