Security Analysis

Limited security verification

SiteOne Crawler certainly does not provide in-depth heuristic analysis, like other specialized security tools that also actively simulate various forms of attacks to find vulnerabilities.

This tool evaluates security purely on the basis of the information available to it in the context of a deep web crawl.

Security analysis evaluates the security of your website primarily by analyzing HTTP headers and TLS/SSL configurations. It identifies potential vulnerabilities and provides recommendations for enhancing site security.

Sample Results

The analyzer provides a detailed table showing security header status across your website:

Security
--------

Header                     | OK    | Notice | Warning | Critical | Recommendation
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Strict-Transport-Security  | 45    | 0      | 0       | 3        | Strict-Transport-Security header is not set. It enforces secure connections and protects against MITM attacks.
X-XSS-Protection           | 45    | 0      | 0       | 3        | X-XSS-Protection header is not set. It enables browser's built-in defenses against XSS attacks.
X-Frame-Options            | 0     | 45     | 3       | 0        | X-Frame-Options header is set to SAMEORIGIN which allows this origin to embed the resource in a frame.
X-Content-Type-Options     | 45    | 0      | 3       | 0        | X-Content-Type-Options header is not set. It stops MIME type sniffing and mitigates content type attacks.
Referrer-Policy            | 45    | 0      | 3       | 0        | Referrer-Policy header is not set. It controls referrer header sharing and enhances privacy and security.
Content-Security-Policy    | 48    | 0      | 0       | 0        |
Feature-Policy             | 48    | 0      | 0       | 0        |
Permissions-Policy         | 48    | 0      | 0       | 0        |
Server                     | 48    | 0      | 0       | 0        | Server header is not set or empty. This is recommended.

The table provides:

• Status counts for each security header (OK, Notice, Warning, Critical)
• Specific recommendations for addressing identified issues
• Clear indication of which headers need immediate attention

HTTP headers

In terms of checking HTTP headers, the headers below are analyzed - whether they exist/do not exist and whether they have appropriate safe values. Checks are for essential security headers that protect against XSS, clickjacking, and other attacks. Missing or misconfigured headers are flagged with recommendations for improvement.

• Access-Control-Allow-Origin
• Strict-Transport-Security
• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
• Referrer-Policy
• Content-Security-Policy
• Feature-Policy
• Permissions-Policy
• Server
• X-Powered-By
• Set-Cookie

Cookie Security

Ensures cookies are set with HttpOnly, Secure, and SameSite attributes to prevent common web vulnerabilities.

HTML content

The HTML verification only verifies that the forms are not sent through an unsecured http:// and also that there are no <iframe> with content from an unsecured http://.

TLS/SSL Protocol Support

Reviews SSL/TLS configurations, recommending webserver updates if outdated or insecure protocols are supported.

This analysis helps in securing your website by identifying critical areas where security configurations can be improved.

💡What would you improve?

If you have ideas how to improve security analysis based on the data available to the crawler, don’t be afraid to send a feature request (to desktop application, or to command-line interface) with a suggestion for improvement. We are happy to consider and implement it if it will benefit more users.