|Scan ID #:
Your site is configured with extremely broad resource sharing permissions.
This can be dangerous, and is possibly not what was intended.
Wondering where to start?
Adding HTTPS protects your site's visitors from tracking, malware, and injected advertising.
Many services providers and certificate authorities now provide free HTTPS and digital certificates to make this as painless as possible!
We noticed that your site is accessible over HTTPS, but still defaults to HTTP.
Automatically redirecting from HTTP to HTTPS helps ensure that your users get served a secure version of your site.
Fantastic work using HTTPS! Did you know that you can ensure users never visit your site over HTTP accidentally?
HTTP Strict Transport Security tells web browsers to only access your site over HTTPS in the future, even if the user attempts to visit over HTTP or clicks an
What’s a good next step?
The use of the
X-Frame-Options header and Content Security Policy’s
frame-ancestors directive are a simple and easy way to protect your site against clickjacking attacks.
You’re halfway finished! Nice job!
You’re doing a wonderful job so far!
Did you know that a strong Content Security Policy (CSP) policy can help protect your website against malicious cross-site scripting attacks?
Subresource Integrity guarantees that your site will stay safe even if one of those domains is compromised.
You’re on the home stretch!
The use of Referrer Policy can help protect the privacy of your users by restricting the information that browsers provide when accessing resources kept on other sites.
Your current CSP policy allows the use of
'unsafe-inline' inside of
style attributes into external stylesheets not only makes you safer, but also makes your code easier to maintain.
🎉🎉🎉 We don't have any! 🎉🎉🎉
Make sure to check back occasionally to ensure that your website is keeping up with the latest in web security standards.
In the meantime, thanks for everything you're doing to keep the internet a safe, secure, and private place!
Once you've successfully completed your change, click Initiate Rescan for the next piece of advice.
eval() function by not allowing
|Blocks execution of plug-ins, using
|Blocks inline styles by not allowing
|Blocks loading of active content over HTTP or FTP
|Blocks loading of passive content over HTTP or FTP
|Clickjacking protection, using
|Deny by default, using
|Restricts use of the
<base> tag by using
base-uri 'self', or specific origins
<form> contents may be submitted by using
form-action 'self', or specific URIs
'strict-dynamic' directive to allow dynamic script loading (optional)
|selects preferred cipher
Looking for improved security and have a user base of only modern clients?
Take a look at the Mozilla “Modern” TLS configuration! It provides an extremely high level of security and performance and is compatible with all clients released in the last couple years. It is not recommended for general purpose websites that may need to service older clients such as Android 4.x, Internet Explorer 10, or Java 6.x.
Still want secure website, but need compatibility with those older clients?
No problem! The Mozilla “Intermediate” TLS configuration may be just right for you! It provides the similar level of security to the “Modern” configuration when used with current clients, but still supports older versions of web browsers and tools.
Please note that these suggestions may not be appropriate for your particular usage requirements! If they do sound like something you'd like assistance with, then hop on board:
|Duplicate Host Keys:
|Operating System Identifier:
|SSH Library Identifier: