This scan was made by Website Security Scanner at webscanner.unofix.no
Security headers are HTTP response headers that tell the browser how to handle a websiteβs content in a secure way.
8 of 8 recommended security headers found (92% score)
| Header | Status | Value | Description |
|---|---|---|---|
X-Frame-Options |
β | DENY | Protects against clickjacking attacks. Hackers can load your page in an invisible iframe and trick users into clicking buttons they cannot see (e.g. "Transfer money"). Value: DENY. Assessment: Good. |
X-Content-Type-Options |
β | nosniff | Prevents MIME-sniffing. A malicious file pretending to be an image can be executed as JavaScript and steal user data. Value: nosniff. Assessment: Good. |
Strict-Transport-Security |
β | max-age=31536000; includeSubDomains | Enforces HTTPS usage (HSTS). Without HTTPS, attackers on the same WiFi network can intercept all communication and steal passwords in plain text. Value: max-age=31536000; includeSubDomains. Assessment: Good. |
Content-Security-Policy |
β | base-uri 'self'; font-src 'self' https://fonts.gstatic.com data:; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; object-src 'none'; script-src-attr 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline'; upgrade-insecure-requests; default-src 'self'; connect-src 'self' https://*.mongodb.net; | Controls which resources can be loaded. Malicious scripts from third parties can run on your page and steal user data or spread malware. Value: base-uri 'self'; font-src 'self' https://fonts.gstatic.com data:; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; object-src 'none'; script-src-attr 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline'; upgrade-insecure-requests; default-src 'self'; connect-src 'self' https://*.mongodb.net;. Assessment: Needs improvement. Notes: script-src contains unsafe-inline (weakens XSS protection). |
Referrer-Policy |
β | no-referrer | Controls what referrer information is sent. Sensitive URLs (e.g. /reset-password?token=abc123) can leak to third parties via analytics or ads. Value: no-referrer. Assessment: Good. |
Permissions-Policy |
β | camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=(), payment=() | Controls access to browser features (camera, microphone, GPS). Malicious code or third-party scripts can secretly activate camera/microphone and spy on the user. Value: camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=(), payment=(). Assessment: Good. |
Cross-Origin-Opener-Policy |
β | same-origin | Isolates your window from cross-origin windows. A malicious popup window can read data from your page via window.opener and steal sensitive information. Value: same-origin. Assessment: Good. |
Cross-Origin-Resource-Policy |
β | same-origin | Controls who can load your resources. Other websites can steal bandwidth by hotlinking to your images, or read pixel data from cross-origin images. Value: same-origin. Assessment: Good. |
6 sensitive file(s) found publicly accessible. Immediate action required.
| Item | Information |
|---|---|
/backup.bakπ΄ CRITICAL |
Backup files are publicly downloadable Backup/archive file may contain source code and/or database |
/site.bakπ΄ CRITICAL |
Backup files are publicly downloadable Backup/archive file may contain source code and/or database |
/www.bakπ΄ CRITICAL |
Backup files are publicly downloadable Backup/archive file may contain source code and/or database |
/database.bakπ΄ CRITICAL |
Backup files are publicly downloadable Backup/archive file may contain source code and/or database |
/db.bakπ΄ CRITICAL |
Backup files are publicly downloadable Backup/archive file may contain source code and/or database |
/dump.bakπ΄ CRITICAL |
Backup files are publicly downloadable Backup/archive file may contain source code and/or database |
Valid SSL certificate from trusted Certificate Authority. Certificate expires in 85 days.
| Status | β Valid |
|---|---|
| Issued To | srtbpulse.epitools.bj |
| Issued By | R13 |
| Valid Until | 2026-06-17 17:54:20 |
| Days Until Expiry | 85 days |
No Set-Cookie headers found in the initial response. Note: cookies may still be set client-side (JavaScript) after page load.
| Cookie Name | Security Flags | Score | Risk | Issues |
|---|