This scan was made by Website Security Scanner at webscanner.unofix.no

67/100
Can be improved

Scanned URL: thix.com.br

2026-04-07 01:27:19
πŸ›‘οΈ
Security Headers
0
πŸ”’
SSL / HTTPS
100
πŸͺ
Cookies
45
πŸ“‚
Exposed Files
100
πŸ–₯️
Server Info
100
❌ Security Headers 0%

Security headers are HTTP response headers that tell the browser how to handle a website’s content in a secure way.

0 of 8 recommended security headers found (0% score)

Header Status Value Description
X-Frame-Options ❌ Not set Protects against clickjacking attacks. Hackers can load your page in an invisible iframe and trick users into clicking buttons they cannot see (e.g. "Transfer money"). Status: Not set.
X-Content-Type-Options ❌ Not set Prevents MIME-sniffing. A malicious file pretending to be an image can be executed as JavaScript and steal user data. Status: Not set.
Strict-Transport-Security ❌ Not set Enforces HTTPS usage (HSTS). Without HTTPS, attackers on the same WiFi network can intercept all communication and steal passwords in plain text. Status: Not set.
Content-Security-Policy ❌ Not set Controls which resources can be loaded. Malicious scripts from third parties can run on your page and steal user data or spread malware. Status: Not set.
Referrer-Policy ❌ Not set Controls what referrer information is sent. Sensitive URLs (e.g. /reset-password?token=abc123) can leak to third parties via analytics or ads. Status: Not set.
Permissions-Policy ❌ Not set Controls access to browser features (camera, microphone, GPS). Malicious code or third-party scripts can secretly activate camera/microphone and spy on the user. Status: Not set.
Cross-Origin-Opener-Policy ❌ Not set Isolates your window from cross-origin windows. A malicious popup window can read data from your page via window.opener and steal sensitive information. Status: Not set.
Cross-Origin-Resource-Policy ❌ Not set Controls who can load your resources. Other websites can steal bandwidth by hotlinking to your images, or read pixel data from cross-origin images. Status: Not set.
βœ… Exposed Files & Information Disclosure 100%

No exposed files or directories found. Checked 49 file locations and 6 directories.

βœ… SSL/TLS Security 100%

Valid SSL certificate from trusted Certificate Authority. Certificate expires in 34 days.

πŸ“œ SSL Certificate Information
Status βœ… Valid
Issued To *.thix.com.br
Issued By R12
Valid Until 2026-05-10 18:11:39
Days Until Expiry 34 days
❌ Cookie Security 45%

1 of 2 cookie(s) have CRITICAL security issues including auth/session cookies (45% score) - Immediate action required!

Cookie Name Security Flags Score Risk Issues
XSRF-TOKEN
eyJp...ZCJ9
πŸ”’ Secure❌ HttpOnly❌ SameSite
 40% πŸ”΄ CRITICAL
  • πŸ”΄ CRITICAL: Missing HttpOnly flag on auth cookie - Session can be stolen via XSS attacks
  • Missing SameSite flag - Vulnerable to CSRF attacks
  • Cookie sent to all paths (/) - Consider narrower scope if possible
laravel_session
eyJp...OSJ9
πŸ”’ SecureπŸ›‘οΈ HttpOnly❌ SameSite
 70% 🟑 MEDIUM
  • Missing SameSite flag - Vulnerable to CSRF attacks
  • Cookie sent to all paths (/) - Consider narrower scope if possible
βœ… Server Information Disclosure 100%

2 server information header(s) disclosed. Consider hiding these to reduce attack surface.

Header Status Value Risk
Server ❌ Exposed Apache Server software disclosed (Apache) but no version number. Consider hiding this header completely.
X-Powered-By ❌ Exposed PHP/7.4.33 CRITICAL: Running PHP/7.4 which reached End-of-Life on 2022-11-28. No security updates available. Attackers can exploit known vulnerabilities.
X-AspNet-Version βœ… Hidden Not present Header not present (good - no information disclosure)
X-AspNetMvc-Version βœ… Hidden Not present Header not present (good - no information disclosure)
X-Generator βœ… Hidden Not present Header not present (good - no information disclosure)
🏠 Scan Another Website