Security
· 13 checks — HTTP headers, CSP, TLS handshake, and cookie hygiene rolled into one auditable list.FContent Security PolicyAction3 of 10 CSP checks passedFIX
'unsafe-inline' allows inline <script> tags, defeating CSP against XSS. Remove it and use nonces or hashes instead.
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
'unsafe-eval' allows eval() and similar functions, enabling code injection. Remove it.
Unsafe value (unsafe-inline, unsafe-eval) in script-src defeats CSP's main protection — XSS injections can execute again.
Learn more ▾ ▴
unsafe-inline allows inline <script> tags; unsafe-eval allows eval() and similar. Both are necessary for some legacy code but explicitly dangerous. Migrate to nonces (per-page random tokens) or hashes (per-script SHA-256) instead.
Source: OWASP CSP / MDN
Without base-uri, attackers can inject a <base> tag to hijack relative URLs. Set it to 'self' or 'none'.
base-uri 'self'Missing base-uri in CSP leaves a base-tag injection attack path open even on otherwise strict policies.
Learn more ▾ ▴
A common omission: developers add CSP for script-src and frame-ancestors but forget base-uri. The result is a CSP that looks strict but lets an attacker rewrite every URL on the page via <base href>. Add `base-uri 'self'` to close the gap.
Source: MDN CSP
frame-ancestors controls who can embed your page, preventing clickjacking. Set it to 'self' or 'none'.
frame-ancestors 'self'Security gaps expose your site and users to attacks, eroding trust.
form-action restricts where forms can submit data, preventing form hijacking.
form-action 'self'Security gaps expose your site and users to attacks, eroding trust.
This directive upgrades HTTP resources to HTTPS automatically, preventing mixed content.
upgrade-insecure-requestsWithout upgrade-insecure-requests, any HTTP subresource link survives as a mixed-content warning instead of auto-upgrading.
Learn more ▾ ▴
Adding `upgrade-insecure-requests` to your CSP turns every http:// subresource fetch into https:// at the browser layer. One-line defense against accidental mixed content from legacy links or third-party widgets.
Source: MDN CSP
Parsed Policy
FSubresource IntegrityAction0 of 2 external resources have SRIFIX
| Tag | Domain | Integrity |
|---|---|---|
| <script> | webanalytics.web.cern.ch | ✗ Missing |
| <script> | cdnjs.cloudflare.com | ✗ Missing |
DEmail SecurityActionDMARC: noneFIX
This only monitors, it doesn't block spoofed emails. Change to p=quarantine or p=reject.
DMARC p=none collects reports but doesn't actually block spoofed mail — phishing emails still reach inboxes.
Learn more ▾ ▴
DMARC's three policies are p=none (monitor only), p=quarantine (mark as spam), and p=reject (bounce). Most domains start at p=none to gather data, but stay there forever, leaving spoofers unblocked. After 30 days of clean DMARC reports, graduate to p=quarantine, then p=reject.
Source: DMARC.org / NIST
Dsecurity.txtActionNo /.well-known/security.txt publishedFIX
security.txt
No security.txt found at /.well-known/security.txt
CPermissions-PolicyAction1 directives, 5 missingREVIEW
Raw Header
Feature Permissions
BCORS ConfigurationNo CORS headersREVIEW
No CORS headers detected.
Cross-origin requests are blocked by browser same-origin policy.
Origin reflection test
Some servers mirror the request Origin header, which can be exploited. Test manually:
curl -sI -H "Origin: https://evil.com" <url> | grep -i access-control
CKnown vulnerability matchesAction8 known vulnerability match(es) against detected techREVIEW
Known Vulnerabilities
| Library | Version | Severity | Summary | Fixed In |
|---|---|---|---|---|
| TinyMCE | 6 | medium | A cross-site scripting (XSS) vulnerability in TinyMCE alerts which allowed arbitrary JavaScript execution was found and fixed. | 6.3.1 |
| TinyMCE | 6 | medium | TinyMCE XSS vulnerability in notificationManager.open API | 6.7.1 |
| TinyMCE | 6 | medium | TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin | 6.7.1 |
| TinyMCE | 6 | medium | TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes | 6.7.3 |
| TinyMCE | 6 | medium | TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes | 6.8.1 |
| TinyMCE | 6 | medium | TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option | 6.8.4 |
| TinyMCE | 6 | medium | TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements | 6.8.4 |
| TinyMCE | 6 | medium | TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements | 7.0.0 |
ASecurity Headers8 of 10 headers properly configuredPASS
COOP isolates your browsing context, preventing cross-origin side-channel attacks. Set to 'same-origin'.
same-originCOOP isolates your top-level browsing context from cross-origin windows — without it, popup-based side-channel attacks remain possible.
Learn more ▾ ▴
Cross-Origin-Opener-Policy: same-origin prevents cross-origin pages from sharing a browsing-context group with yours. This blocks cross-window references that enable Spectre-style timing attacks and tab-nabbing. Required if you want to enable SharedArrayBuffer.
Source: MDN / web.dev
COEP prevents loading cross-origin resources without explicit permission. Required for SharedArrayBuffer and high-resolution timers.
require-corpCOEP enforces that all embedded resources opt-in to cross-origin embedding — required for cross-origin isolation features.
Learn more ▾ ▴
Cross-Origin-Embedder-Policy: require-corp ensures every embedded resource (script, iframe, image) explicitly allows being loaded cross-origin. Combined with COOP, this enables the cross-origin-isolated context that unlocks SharedArrayBuffer, high-resolution timers, and other powerful APIs.
Source: MDN / web.dev
ATLS & CertificatesTLS 1.3, 7 checks passedPASS
Renew the certificate before it expires to avoid browser warnings.
Cert expiry within the renewal window — fix now while there's no user impact, instead of after expiry when there's a full outage.
Learn more ▾ ▴
Most CAs recommend renewal at 30 days remaining. Inside that window, schedule the renewal immediately and verify auto-renewal is configured if applicable. Don't wait until 7 days; weekend / holiday timing can leave you exposed.
Source: Let's Encrypt / CA renewal best practice
HTTP/2 provides multiplexing and header compression for better performance.
HTTP/1.1 forces the browser to make sequential requests, multiplying latency on every page.
Learn more ▾ ▴
HTTP/2 (and HTTP/3) multiplex many requests over a single connection, eliminating head-of-line blocking. HTTP/1.1 forces the browser to either queue requests or open many parallel connections — both worse. Most modern web servers support HTTP/2 with one config line.
Source: MDN Web Docs
Certificate Chain
A+JS Library VulnerabilitiesNo known vulnerabilitiesPASS
No known JavaScript library vulnerabilities detected.
A+Information LeakageNo exposuresPASS
No sensitive files exposed — all paths returned 404.
| Path | Status | Category | Risk |
|---|---|---|---|
| /.git/HEAD | ✓ Not found | Version Control | — |
| /.git/config | ✓ Not found | Version Control | — |
| /.svn/entries | ✓ Not found | Version Control | — |
| /.env | ✓ Not found | Configuration | — |
| /.env.local | ✓ Not found | Configuration | — |
| /.env.production | ✓ Not found | Configuration | — |
| /wp-config.php | ✓ Not found | Configuration | — |
| /.htaccess | ✓ Not found | Configuration | — |
| /phpinfo.php | ✓ Not found | Debug | — |
| /server-status | ✓ Not found | Debug | — |
| /server-info | ✓ Not found | Debug | — |
| /.well-known/security.txt | ✓ Not found | Security Policy | — |