Skip to content

Security Analysis

Security analysis evaluates the security of your website primarily by analyzing HTTP headers and TLS/SSL configurations. It identifies potential vulnerabilities and provides recommendations for enhancing site security.

The analyzer provides a detailed table showing security header status across your website:

Security
--------
Header | OK | Notice | Warning | Critical | Recommendation
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Strict-Transport-Security | 45 | 0 | 0 | 3 | Strict-Transport-Security header is not set. It enforces secure connections and protects against MITM attacks.
X-XSS-Protection | 45 | 0 | 0 | 3 | X-XSS-Protection header is not set. It enables browser's built-in defenses against XSS attacks.
X-Frame-Options | 0 | 45 | 3 | 0 | X-Frame-Options header is set to SAMEORIGIN which allows this origin to embed the resource in a frame.
X-Content-Type-Options | 45 | 0 | 3 | 0 | X-Content-Type-Options header is not set. It stops MIME type sniffing and mitigates content type attacks.
Referrer-Policy | 45 | 0 | 3 | 0 | Referrer-Policy header is not set. It controls referrer header sharing and enhances privacy and security.
Content-Security-Policy | 48 | 0 | 0 | 0 |
Feature-Policy | 48 | 0 | 0 | 0 |
Permissions-Policy | 48 | 0 | 0 | 0 |
Server | 48 | 0 | 0 | 0 | Server header is not set or empty. This is recommended.

The table provides:

  • Status counts for each security header (OK, Notice, Warning, Critical)
  • Specific recommendations for addressing identified issues
  • Clear indication of which headers need immediate attention

In terms of checking HTTP headers, the headers below are analyzed - whether they exist/do not exist and whether they have appropriate safe values. Checks are for essential security headers that protect against XSS, clickjacking, and other attacks. Missing or misconfigured headers are flagged with recommendations for improvement.

  • Access-Control-Allow-Origin
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Referrer-Policy
  • Content-Security-Policy
  • Feature-Policy
  • Permissions-Policy
  • Server
  • X-Powered-By
  • Set-Cookie

Ensures cookies are set with HttpOnly, Secure, and SameSite attributes to prevent common web vulnerabilities.

The HTML verification only verifies that the forms are not sent through an unsecured http:// and also that there are no <iframe> with content from an unsecured http://.

Reviews SSL/TLS configurations, recommending webserver updates if outdated or insecure protocols are supported.

This analysis helps in securing your website by identifying critical areas where security configurations can be improved.


If you have ideas how to improve security analysis based on the data available to the crawler, don’t be afraid to send a feature request (to desktop application, or to command-line interface) with a suggestion for improvement. We are happy to consider and implement it if it will benefit more users.