This scan was made by Website Security Scanner at webscanner.unofix.no
Security headers are HTTP response headers that tell the browser how to handle a websiteβs content in a secure way.
2 of 8 recommended security headers found (11% score)
| Header | Status | Value | Description |
|---|---|---|---|
X-Frame-Options |
β | Not set | Protects against clickjacking attacks. Hackers can load your page in an invisible iframe and trick users into clicking buttons they cannot see (e.g. "Transfer money"). Status: Not set. |
X-Content-Type-Options |
β | Not set | Prevents MIME-sniffing. A malicious file pretending to be an image can be executed as JavaScript and steal user data. Status: Not set. |
Strict-Transport-Security |
β | Not set | Enforces HTTPS usage (HSTS). Without HTTPS, attackers on the same WiFi network can intercept all communication and steal passwords in plain text. Status: Not set. |
Content-Security-Policy |
β | block-all-mixed-content | Controls which resources can be loaded. Malicious scripts from third parties can run on your page and steal user data or spread malware. Value: block-all-mixed-content. Assessment: Unsafe. Notes: script-src is not set (default-src fallback is weaker). object-src is not set (recommended: object-src 'none'). |
Referrer-Policy |
β | Not set | Controls what referrer information is sent. Sensitive URLs (e.g. /reset-password?token=abc123) can leak to third parties via analytics or ads. Status: Not set. |
Permissions-Policy |
β | private-state-token-redemption=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"), private-state-token-issuance=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com") | Controls access to browser features (camera, microphone, GPS). Malicious code or third-party scripts can secretly activate camera/microphone and spy on the user. Value: private-state-token-redemption=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"), private-state-token-issuance=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"). Assessment: Needs improvement. Notes: Header is present but does not clearly disable common sensitive features. |
Cross-Origin-Opener-Policy |
β | Not set | Isolates your window from cross-origin windows. A malicious popup window can read data from your page via window.opener and steal sensitive information. Status: Not set. |
Cross-Origin-Resource-Policy |
β | Not set | Controls who can load your resources. Other websites can steal bandwidth by hotlinking to your images, or read pixel data from cross-origin images. Status: Not set. |
2 sensitive file(s) found publicly accessible. Immediate action required.
| Item | Information |
|---|---|
| π Detected Technology | WordPress |
/readme.htmlπ΅ LOW |
Version information is exposed May reveal WordPress version number |
/license.txtπ΅ LOW |
Version information is exposed May reveal WordPress version number |
Website does not use HTTPS - All communication is unencrypted and vulnerable to interception
No Set-Cookie headers found in the initial response. Note: cookies may still be set client-side (JavaScript) after page load.
| Cookie Name | Security Flags | Score | Risk | Issues |
|---|