Skip to content
https://vnexpress.net

Security

· 13 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.
SCORE
70
GRADE
C
FIX
5
REVIEW
3
PASS
5
INFO
0
Checks
13
5 PASS 3 REVIEW 5 FIX
D
Content Security Policy
Action
5 of 10 CSP checks passed
FIX
5 of 10 CSP checks passed
Info::
Raw CSP policy
Got: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com ; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com; font-src data: https: https://fonts.gstatic.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://*.vnexpress.net https://vnexpress.net
Info::
default-src directive is set
Got: default-src data: 'unsafe-inline' 'unsafe-eval' https:
Critical::
'unsafe-inline' found in script source
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Got: script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com
Critical::
'unsafe-eval' found in script source
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Got: script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com
Info::
No wildcard in script source
Warning::
object-src allows plugin content
Set object-src to 'none' to prevent Flash/Java plugin exploits.
Got: object-src https: Expected: object-src 'none'
Warning::
base-uri directive is missing
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
Expected: base-uri 'self'
Info::
frame-ancestors directive is set
Got: frame-ancestors https://*.vnexpress.net https://vnexpress.net
Info::
form-action directive is set
Got: form-action https:
Info::
upgrade-insecure-requests is enabled

'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.

Why this matters

Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.

Learn more

unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.

Source: OWASP CSP / MDN

Set object-src to 'none' to prevent Flash/Java plugin exploits.

Expected: object-src 'none'
Why this matters

object-src open in CSP allows Flash/PDF/plugin embedding — a now-deprecated attack vector that should be explicitly blocked.

Learn more

object-src controls <object>, <embed>, and <applet> elements. Modern sites have no need for plugins; setting `object-src 'none'` blocks an entire class of legacy XSS vectors at zero cost. If your CSP missed it, add the directive.

Source: MDN CSP

Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.

Expected: base-uri 'self'
Why this matters

Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.

Learn more

A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.

Source: MDN CSP

Parsed Policy

upgrade-insecure-requests
default-src data:'unsafe-inline''unsafe-eval'https:
script-src data:'unsafe-inline''unsafe-eval'https:blob:https://www.googleanalytics.comhttps://www.google-analytics.comhttps://www.googleoptimize.comhttps://optimize.google.com
style-src data:'unsafe-inline'https:https://optimize.google.comhttps://fonts.googleapis.com
img-src data:https:blob:android-webview-video-poster:https://www.google-analytics.comhttps://www.googletagmanager.comhttps://optimize.google.com
font-src data:https:https://fonts.gstatic.com
connect-src https:wss:blob:
media-src data:https:blob:
object-src https:
child-src https:data:blob:
form-action https:
frame-ancestors https://*.vnexpress.nethttps://vnexpress.net
F
Subresource Integrity
Action
0 of 78 external resources have SRI
FIX
0 of 78 external resources have SRI
Warning::
External link from fonts.googleapis.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fonts.googleapis.com/css?family=Archivo:400,500|Arimo:400,500|Bitter:400,500|EB+Garamond:400,500|Lato|Libre+Baskervill|Libre+Franklin:400,500|Lora:400,500|Google+Sans:regular,medium:400,500|Material+Icons|Google+Symbols|Merriweather|Montserrat:400,500|Mukta:400,500|Muli:400,500|Nunito:400,500|Open+Sans:400,500,600|Open+Sans+Condensed:400,600|Oswald:500|Playfair+Display:400,500|Poppins:400,500|Raleway:400,500|Roboto:400,500|Roboto+Condensed:400,500|Roboto+Slab:400,500|Slabo+27px|Source+Sans+Pro|Ubuntu:400,500|Volkhov&display=swap
Warning::
External script from la2.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://la2.vnecdn.net/static/device_model_min.js
Warning::
External script from la2.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://la2.vnecdn.net/static/device_model_min.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-NMB96XWK&is_td=1&v=3&t=t&pid=1202696706&gtm=45He64k0h1v9191121624za200zd9191121624&seq=1&exp=0~115938466~115938468~117266400~118463261&dl=vnexpress.net%2F&tdp=GTM-NMB96XWK;191121624;0;0;0&frm=0&rtg=191121624&slo=1&hlo=17&lst=1&bt=0&ct=3&mde=G-8DHKH6QPCD;0_1&z=0
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-8DHKH6QPCD&cx=c&gtm=4e64k0h1
Warning::
External script from octopus-stream01-cads.fpt.vn lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://octopus-stream01-cads.fpt.vn/cdp.js
Warning::
External script from www.google-analytics.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.google-analytics.com/analytics.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-DQJ7NF9DN2&cx=c&gtm=4e64k0
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtag/js?id=G-57577CKS2C&cx=c&gtm=4e64k0
Warning::
External script from www.google-analytics.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.google-analytics.com/analytics.js
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-NMB96XWK
Warning::
External script from www.googletagmanager.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://www.googletagmanager.com/gtm.js?id=GTM-N3FNJF
Warning::
External script from s.eclick.vn lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s.eclick.vn/delivery/inventory.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //s1cdn.vnecdn.net/vnexpress/restruct/j/v1294/eclick/ea4_imp.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: //s1cdn.vnecdn.net/vnexpress/restruct/j/v1294/eclick/ea3.js
Warning::
External script from securepubads.g.doubleclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Warning::
External script from scdn.eclick.vn lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://scdn.eclick.vn/delivery/dfp/dfpbrand.js
Warning::
External script from scdn.eclick.vn lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://scdn.eclick.vn/delivery/dfp/prebid.js
Warning::
External script from scdn.eclick.vn lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://scdn.eclick.vn/delivery/dfp/ov_pc_vne_home_home.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/blocks/site/1000000_ov.js
Warning::
External script from scdn.eclick.vn lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://scdn.eclick.vn/delivery/eclick.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/config/category.js
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/c/v3897/v2_2019/pc/general-file.css
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/vod.js
Warning::
External script from securepubads.g.doubleclick.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://securepubads.g.doubleclick.net/pagead/managed/js/gpt/m202604210101/pubads_impl.js?cb=31098008
Warning::
External script from fundingchoicesmessages.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fundingchoicesmessages.google.com/i/21928950349?ers=3
Warning::
External script from fundingchoicesmessages.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://fundingchoicesmessages.google.com/f/AGSKWxVj8cegtmiOb3eTGUIlYgdv6fRxKqBbolnrTZH9yyjhE_g0rSvQ-rHoVVV5X1v-lk9atmkcuPPHDiew22CtzXltRQe80uVOd01AiWJWXKicXchKNfoUG9o-KRyAe2El2LYJ4o627Q==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzc2ODg4NjY5LDI2NzAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzddXSwiaHR0cHM6Ly92bmV4cHJlc3MubmV0LyIsbnVsbCxbWzgsInBTSmtvMTk2SUgwIl0sWzksImVuLVVTIl0sWzE4LCJbW1tudWxsLDgxNV1dXSJdLFszNSwiMTc3Njg4ODY2OSJdLFsxOSwiMSJdLFsyNCwidm5leHByZXNzLm5ldCJdLFsyOSwiZmFsc2UiXV1d
Warning::
External script from scdn.eclick.vn lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://scdn.eclick.vn/delivery/asset/355353918/adsbyeclick.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v2/helper/vod/hls.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v2/helper/embed_vod.js
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v2/helper/vod/video-js.css
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v2/helper/vod/ads.js
Warning::
External script from s.eclick.vn lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s.eclick.vn/bad.js
Warning::
External script from la4.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://la4.vnecdn.net/static/device_model_min.js
Warning::
External script from adp.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://adp.vnecdn.net/fopt.js?aid=nlcrmvycoydbvj96.1776888668.des&uid=nlcrmvycoydbvj96.1776888668.des
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v2/helper/vod/video.lib.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/lazyload.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/wpn.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/modules/home.defer.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/widget/init_myvne.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/libs/simple-scrollbar.min.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/libs/zepto.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/libs/../usi.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/libs/jquery-2.1.4.min.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/libs/swiper.min.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/myvne/j/v416/myvne_users_redesign.js
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/c/v3897/evisual/pc/player-pin.css
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/c/v3897/podcast/audio-style-pc.css
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/ldpr/jquery-2.1.4.min.js
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5065902-1;5065887-1;5065602-1;5065538-1;5065618-1;5065636-1;5065881-1;5065571-1;5065893-1;5065935-1;5065909-1;5065934-13;5065867-1;5065923-1;5065875-1;5064506-1;5065940-1;5065278-1;5065879-1;5065446-1;5065865-1;5065878-1;5065876-1;5065927-3;5059833-1;5065853-1;5065513-1;5065574-1;5065068-1;5065914-1;5065895-1;5064885-1;5065505-1;5059607-1;5065267-1;5065903-1;5065682-1;5065912-1;5065933-1;5065922-1;5065404-1&
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5065641-1;5065383-1;5065520-1;5065486-1;5065515-1;5065514-1;5065688-1;5065468-3&
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5065927-3;5064867-3;5065178-3;5064644-3;5064230-3&
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/v3/production/libs/jquery.magnific-popup.min.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/evisual/main.js
Warning::
External script from s1.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1.vnecdn.net/myvne/j/v1/lib/jquery.magnific-popup-1.1.min.js
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/c/v3897/v2_2019/pc/myvne-2023-PC.css
Warning::
External script from accounts.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://accounts.google.com/gsi/client
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/myvne/c/v416/ls/myvne_2019.css
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/uaparse.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/evisual/podcast/podcast.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/podcast/wavesurfer.min.js
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/podcast/podcast-player.js
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5051346-8;5065348-4;5063025-4&
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5065620-1;5065446-1;5064996-1;5065688-1;5065670-1;5059833-1;5064384-1;5065917-1;5065780-3;5065361-1;5065899-1;5065755-1;5065885-1;5065897-1;5065896-1;5065927-3;5065895-1;5064867-3;5065774-1;5065914-1;5065267-1;5065903-1;5065924-1;5065874-1;5065883-1&
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5064445-1;5065620-1;5065184-1;5059607-1;5065744-1;5065786-1;5065108-1;5065414-1;5064506-1;5064746-1;5065808-1;5065584-1;5065666-3;5065068-1;5065831-1;5064188-1;5065725-1;5064885-1;5065912-1;5065513-1;5065380-1;5065564-1;5064876-1;5061856-1;5065878-1;5065798-1;5065768-1;5065619-1;5065411-1&
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5065660-1;5064661-1;5065581-3;5065933-1;5065752-1;5065892-1&
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5065818-1;5065233-3;5065469-1;5065737-1;5065282-1;5065226-1;5062555-1;5065480-1;5065641-1;5065596-1;5065682-1;5065595-1;5065439-1;5065442-1&
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5065578-1;5065769-1;5065612-1;5065334-1;5065568-1;5064808-1&
Warning::
External link from accounts.google.com lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://accounts.google.com/gsi/style
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/c/v3897/evisual/pc/preview.css
Warning::
External script from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/j/v8822/video/vvideo_tracking.js
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5065880-1;5065821-1;5065420-1;5065272-1;5065309-1;5064352-7;5065884-13;5065671-13;5064893-13;5065676-13;5065378-13;5063070-13;5065263-13;5065646-12;5065628-13;5064195-12;5065238-12&
Warning::
External script from usi-saas.vnexpress.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://usi-saas.vnexpress.net/widget/index/?cid=5065505-1;5065544-1;5065635-1;5065608-1;5065456-1&
Warning::
External script from la2.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://la2.vnecdn.net/static/adp_banner.js
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/c/v3897/v2_2019/pc/widget-investment-business.css
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/c/v3897/v2_2019/pc/font-Inter.css
Warning::
External link from s1cdn.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s1cdn.vnecdn.net/vnexpress/restruct/c/v3897/v2_2019/pc/box-vne-go.css
Warning::
External script from s.vnecdn.net lacks integrity attribute
Without SRI, if this CDN is compromised, attackers could inject malicious code.
Got: https://s.vnecdn.net/vnexpress/restruct/j/v575/jquery.3.2.1.min.js
SRI Coverage 0 / 78 of external resources have integrity hashes
TagDomainIntegrity
<link>fonts.googleapis.com Missing
<script>la2.vnecdn.net Missing
<script>la2.vnecdn.net Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>octopus-stream01-cads.fpt.vn Missing
<script>www.google-analytics.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>www.google-analytics.com Missing
<script>www.googletagmanager.com Missing
<script>www.googletagmanager.com Missing
<script>s.eclick.vn Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>securepubads.g.doubleclick.net Missing
<script>scdn.eclick.vn Missing
<script>scdn.eclick.vn Missing
<script>scdn.eclick.vn Missing
<script>s1cdn.vnecdn.net Missing
<script>scdn.eclick.vn Missing
<script>s1cdn.vnecdn.net Missing
<link>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>securepubads.g.doubleclick.net Missing
<script>fundingchoicesmessages.google.com Missing
<script>fundingchoicesmessages.google.com Missing
<script>scdn.eclick.vn Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<link>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s.eclick.vn Missing
<script>la4.vnecdn.net Missing
<script>adp.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<link>s1cdn.vnecdn.net Missing
<link>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>usi-saas.vnexpress.net Missing
<script>usi-saas.vnexpress.net Missing
<script>usi-saas.vnexpress.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1.vnecdn.net Missing
<link>s1cdn.vnecdn.net Missing
<script>accounts.google.com Missing
<link>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>usi-saas.vnexpress.net Missing
<script>usi-saas.vnexpress.net Missing
<script>usi-saas.vnexpress.net Missing
<script>usi-saas.vnexpress.net Missing
<script>usi-saas.vnexpress.net Missing
<script>usi-saas.vnexpress.net Missing
<link>accounts.google.com Missing
<link>s1cdn.vnecdn.net Missing
<script>s1cdn.vnecdn.net Missing
<script>usi-saas.vnexpress.net Missing
<script>usi-saas.vnexpress.net Missing
<script>la2.vnecdn.net Missing
<link>s1cdn.vnecdn.net Missing
<link>s1cdn.vnecdn.net Missing
<link>s1cdn.vnecdn.net Missing
<script>s.vnecdn.net Missing
D
Email Security
Action
DMARC: none
FIX
DMARC: none
Warning::
DMARC policy is none — monitoring only
This only monitors, it doesn't block spoofed emails. Change to p=quarantine or p=reject.
DMARC
Policy none — monitoring only, does not block spoofing Record v=DMARC1; p=none;

This only monitors, it doesn't block spoofed emails. Change to p=quarantine or p=reject.

Why this matters

DMARC p=none collects reports but doesn't actually block spoofed mail — phishing emails still reach inboxes.

Learn more

DMARC's three policies are p=none (monitor only), p=quarantine (mark as spam), and p=reject (bounce). Most domains start at p=none to gather data, but stay there forever, leaving spoofers unblocked. After 30 days of clean DMARC reports, graduate to p=quarantine, then p=reject.

Source: DMARC.org / NIST

D
Permissions-Policy
Action
No header set
FIX
No header set
Warning::
No Permissions-Policy header
Consider adding a Permissions-Policy header to restrict browser feature access from embedded content.

No Permissions-Policy header set.

Without this header, embedded iframes can request access to sensitive device features.

Suggested header
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()
D
security.txt
Action
No /.well-known/security.txt published
FIX

security.txt

No security.txt found at /.well-known/security.txt

B
Security Headers
7 of 10 headers properly configured
REVIEW
7 of 10 headers properly configured
Info::
Strict-Transport-Security is properly configured (consider adding preload)
Got: max-age=31536000; includeSubDomains
Info::
X-Content-Type-Options is properly configured
Got: nosniff
Info::
X-Frame-Options is properly configured
Got: SAMEORIGIN
Info::
Referrer-Policy is properly configured
Got: strict-origin-when-cross-origin
Warning::
Permissions-Policy header is missing
Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.
Expected: geolocation=(), camera=(), microphone=()
Info::
Content-Security-Policy is present
Got: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https…
Warning::
Cross-Origin-Opener-Policy header is missing
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
Expected: same-origin
Warning::
Cross-Origin-Embedder-Policy header is missing
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
Expected: require-corp
Info::
X-Powered-By header is not present
Info::
Server header is present without version info
Got: vne-qt-fe-lv1-other-2

Controls which browser features (camera, microphone, geolocation) are allowed. Set it to restrict unused features.

Expected: geolocation=(), camera=(), microphone=()
Why this matters

Permissions-Policy locks down browser APIs you don't use — without it, every page can request camera/mic/geolocation if XSS lands.

Learn more

By default every page can request the camera, microphone, geolocation, payment APIs, and dozens more. Permissions-Policy turns off the ones you don't need so a future bug can't quietly start using them. It's a defense-in-depth header — one line, big surface reduction.

Source: MDN / W3C

COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.

Expected: same-origin
Why this matters

COOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.

Learn more

Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.

Source: MDN / web.dev

COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.

Expected: require-corp
Why this matters

COEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.

Learn more

Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.

Source: MDN / web.dev

B
CORS Configuration
No CORS headers
REVIEW
No CORS headers
Info::
No CORS headers present — secure default
CORS Configuration Secure

No CORS headers detected.

Cross-origin requests are blocked by browser same-origin policy.

Origin reflection test

Some servers mirror the request Origin header, which can be exploited. Test manually:

curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
C
Known vulnerability matches
Action
6 known vulnerability match(es) against detected tech
REVIEW

Known Vulnerabilities

LibraryVersionSeveritySummaryFixed In
jQuery2.1.4mediumparseHTML() executes scripts in event handlers2.2.0
jQuery2.1.4lowjQuery 1.x and 2.x are End-of-Life and no longer receiving security updates2.999.999
jQuery2.1.4medium3rd party CORS request may execute3.0.0-beta1
jQuery2.1.4mediumjQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution3.4.0
jQuery2.1.4mediumpassing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.3.5.0
jQuery2.1.4mediumRegex in its jQuery.htmlPrefilter sometimes may introduce XSS3.5.0
A+
TLS & Certificates
TLS 1.3, 7 checks passed
PASS
TLS 1.3, 7 checks passed
Info::
TLS 1.3 is used
Got: TLS 1.3
Info::
Strong cipher suite is used
Got: TLS_AES_128_GCM_SHA256
Info::
HTTP/2 is not negotiated
HTTP/2 provides multiplexing and header compression for better performance.
Got: http/1.1
Info::
Certificate is valid (expires in 135 days)
Got: 2026-09-05T06:58:34Z
Info::
Certificate chain has 4 certificates
Info::
Certificate uses modern signature algorithm
Got: SHA256-RSA
Info::
Certificate covers 6 domain(s)
Got: *.vnexpress.net, owa.vnexpress.net, mail.vnexpress.net, autodiscover.vnexpress.net, www.vnexpress.net, vnexpress.net
Info::
Certificate is issued by a trusted CA
Got: CN=GlobalSign GCC R3 DV TLS CA 2020,O=GlobalSign nv-sa,C=BE

HTTP/2 provides multiplexing and header compression for better performance.

Why this matters

HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.

Learn more

HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.

Source: MDN Web Docs

Connection
Protocol
TLS 1.3
Cipher Suite
TLS_AES_128_GCM_SHA256
HTTP Version
HTTP/1.1

Certificate Chain

Leaf Certificate
Subject CN=*.vnexpress.netIssuer CN=GlobalSign GCC R3 DV TLS CA 2020,O=GlobalSign nv-sa,C=BEValid 2025-08-04T06:58:35Z → 2026-09-05T06:58:34ZExpires in 135 days SANs *.vnexpress.net, owa.vnexpress.net, mail.vnexpress.net, autodiscover.vnexpress.net, www.vnexpress.net, vnexpress.netSignature SHA256-RSASerial 10d0c8c451d615e92ccccb05
Intermediate (CA Certificate)
Subject CN=GlobalSign GCC R3 DV TLS CA 2020,O=GlobalSign nv-sa,C=BEIssuer CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignValid 2020-07-28T00:00:00Z → 2029-03-18T00:00:00ZExpires in 1060 days Signature SHA256-RSASerial 77bd0e0742d5d9e9d049d774d02a6f9a
Intermediate (CA Certificate)
Subject CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSignIssuer CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEValid 2018-09-19T00:00:00Z → 2028-01-28T12:00:00ZExpires in 645 days Signature SHA256-RSASerial 1ee5f169dff97352b6465d66a
Intermediate (CA Certificate)
Subject CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEIssuer CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BEValid 1998-09-01T12:00:00Z → 2028-01-28T12:00:00ZExpires in 645 days Signature SHA1-RSASerial 40000000001154b5ac394
A+
Cookie Security
1 cookies analyzed, 2 checks passed
PASS
1 cookies analyzed, 2 checks passed
Info::
Cookie 'device_env' has the Secure flag
Warning::
Cookie 'device_env' is missing the HttpOnly flag
Without HttpOnly, this cookie can be accessed by JavaScript, making it vulnerable to XSS-based theft.
Info::
Cookie 'device_env' has SameSite=None
1 cookies analyzed 1 warnings
NameSecureHttpOnlySameSiteSizeIssues
device_envNone11 B1
A+
JS Library Vulnerabilities
No known vulnerabilities
PASS
No known vulnerabilities
Info::
No known JavaScript library vulnerabilities detected

No known JavaScript library vulnerabilities detected.

A+
Information Leakage
No exposures
PASS
No exposures
Info::
No security.txt found
Consider adding a security.txt at /.well-known/security.txt.
Info::
No sensitive files exposed

No sensitive files exposed — all paths returned 404.

PathStatusCategoryRisk
/.git/HEAD Not foundVersion Control
/.git/config Not foundVersion Control
/.svn/entries Not foundVersion Control
/.env Not foundConfiguration
/.env.local Not foundConfiguration
/.env.production Not foundConfiguration
/wp-config.php Not foundConfiguration
/.htaccess Not foundConfiguration
/phpinfo.php Not foundDebug
/server-status Not foundDebug
/server-info Not foundDebug
/.well-known/security.txt Not foundSecurity Policy
A+
Transport Security
HTTP/3, HSTS, and TLS version analysis
PASS
HTTP/3, HSTS, and TLS version analysis
Info::
HTTP/3 (QUIC) supported
The server advertises HTTP/3 via Alt-Svc for faster connections on mobile networks.
Info::
HSTS enabled (includeSubDomains)
Info::
TLS 1.3 in use (fastest handshake, 1-RTT)
All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback