Security Report
Your website is live and serving visitors, but several security gaps leave your business exposed to common attacks. The most urgent issue: there is no Content Security Policy, which means attackers could inject malicious scripts into your pages. Your SSL certificate expires in 12 days — if it lapses, browsers will warn visitors away. On the positive side, your DNS is correctly configured and HSTS is partially in place. Email authentication is incomplete: SPF is present but DMARC and DKIM are missing, making your domain vulnerable to spoofing. We also detected an exposed server version header and two cookies missing security attributes. Fixing the critical and high-severity items below would raise your score to a B+ within a week.
All Findings
The server does not return a Content-Security-Policy header. This leaves the site vulnerable to cross-site scripting (XSS) attacks.
Add a Content-Security-Policy header with at minimum: default-src 'self'; script-src 'self'. Use nonce-based CSP for inline scripts.
The TLS certificate for example-company.co.uk is valid but expires on 2025-02-14. If not renewed, browsers will display security warnings.
Renew the certificate via your hosting provider or set up auto-renewal with Let's Encrypt.
No Strict-Transport-Security header detected. Visitors could be downgraded to HTTP via man-in-the-middle attacks.
Add Strict-Transport-Security: max-age=31536000; includeSubDomains to your server configuration.
No DMARC record found at _dmarc.example-company.co.uk. Attackers can spoof emails from your domain.
Add a DNS TXT record: _dmarc.example-company.co.uk → "v=DMARC1; p=quarantine; rua=mailto:dmarc@example-company.co.uk"
The Server header reveals "nginx/1.24.0". Attackers use version information to find known vulnerabilities.
Remove or obfuscate the Server header in your nginx configuration: server_tokens off;
No DKIM records found for common selectors (default, google, selector1). Email deliverability and authenticity are reduced.
Configure DKIM signing with your email provider and publish the public key as a DNS TXT record.
2 of 4 cookies are missing security attributes. "session_id" is missing HttpOnly and SameSite. "_analytics" is missing Secure.
Set Secure, HttpOnly, and SameSite=Lax (or Strict) on all cookies that don't need client-side JS access.
No /.well-known/security.txt found. Security researchers have no standard way to report vulnerabilities.
Create a security.txt file per RFC 9116 with Contact, Expires, and Policy fields.
Detected: nginx 1.24.0, jQuery 3.6.0, WordPress 6.4. Exposed technology versions help attackers target known CVEs.
Remove version numbers from headers and HTML meta tags where possible.
Ready to see your own report?
Sign up free and scan your domain in 60 seconds. No credit card required.