Web & Email Security Test

← Web Test Home

B-

Test Information

TargetCISCO.COM

Resolved To:https://www.cisco.com/

IPv4:72.163.4.185

Scan ID #:110

Scan Time (UTC):2021-04-03 08:26:40

Response Code (HTTP):301

Response Code (HTTPS):200

Score:69/120

Tests Passed:21/25

Domain Information

Changed:

2019-06-21

Created:

1987-05-14

Expires:

2022-05-15

Related Tests

Overall Scores

Test	Pass	Score	Max	Min	Reason	Recommended Apache Config	More
HTTPS Availability	✅	0	0	-40	Site is available over HTTPS and HTTP redirects to HTTPS with same hostname	`—`
SSL and TLS Protocols	➖	0	5	-20	TLS v1.0/v1.1 are being phased out as certain TLS v1.0 ciphers are not secure	`SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off`	🛈
HSTS (Strict Transport Security)	➖	-5	0	-15	Max-age (365 days) is at least 1 year, but subdomains not included	`Header set Strict-Transport-Security max-age=31536000; includeSubDomains; preload`	🛈
Expect Certificate Transparency	❌	-5	0	-5	Site available over HTTPS but no certificate transparency directives	`—`
HTTP Compression	➖	0	1	0	HTTP compression is supported	`SetEnv no-gzip 1 Header set Cache-Control "max-age=0, private, no-cache, no-store, no-transform, must-revalidate"`	🛈
Cache Control	❌	-5	0	-5	Cache-Control directives are not adequate for sensitive data	`Header set Cache-Control "no-store, no-cache, must-revalidate"`
Cookies	✅	0	0	-20	N/A (No cookies sent)	`—`
Subresource Integrity	✅	+5	5	-10	Scripts loaded (see subtable for details)		🛈
Content-Security-Policy	❌	-16	0	-24	Content-Security-Policy header sent (see subtable for details)	`Header set Content-Security-Policy " default-src 'none';\ base-uri 'none';\ etc. [see CSP table];\ report-to default;\ report-uri https://[your-endpoint].report-uri.com/r/d/csp/enforce;"`	🛈
Feature-Policy	➖	0	5	0	Feature-Policy header not sent	`Header set Feature-Policy "autoplay 'self';"`
Report-To	➖	0	1	0	No Report-To header sent	`Header set Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://[your-endpoint].report-uri.com/a/d/g"}],"include_subdomains":true}`
Network Error Logging	➖	0	1	0	N/A (Requires Report-To header)	`Header set NEL: {"report_to":"default","max_age":31536000,"include_subdomains":true}`
Referrer Policy	➖	0	2	-5	Referrer-Policy header not sent	`Header always set Referrer-Policy "no-referrer-when-downgrade"`
X-Content-Type-Options	✅	0	0	-10	X-Content-Type-Options header securely set	`Header set X-Content-Type-Options "nosniff"`
X-XSS-Protection	✅	0	0	-10	X-XSS-Protection header securely set	`Header set X-XSS-Protection "1; mode=block"`
X-Frame-Options	✅	0	0	-10	X-Frame-Options header securely set	`Header set X-Frame-Options "DENY"`
X-Powered-By	✅	0	0	-3	X-Powered-By header not sent	`Header unset "X-Powered-By"`
X-AspNet-Version	✅	0	0	-1	X-AspNet-Version header not sent	`—`
X-AspNetMvc-Version	✅	0	0	-1	X-AspNetMvc-Version header not sent	`—`
Server Header	✅	0	0	-2	Server header sent, with general, non-specific value `Apache`	`ServerTokens Prod`
Cross-Origin Resource Sharing	✅	0	0	-15	CORS header not implemented	`—`
DNSSEC (DNS Security Extensions)	❌	-5	0	-5	Domain is not signed with a valid signature	`—`
IPv6 Reachability	✅	0	0	-5	Nameservers and web server available via IPv6	`—`
SPF (Sender Policy Framework)	➖	0	0	-10	No MX records associated with this hostname	`—`
DMARC (Domain-based Message Authentication, Reporting, and Confidence)	➖	0	0	-10	No MX records associated with this hostname	`—`

Subresource Integrity (External JavaScript)

Maximum score for any and all scripts is 5 and minimum score for any and all scripts is -10.

Script	Pass	Score	Reason	HTTPS
/c/dam/cdc/t/ctm-core.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/c/dam/cdc/j/personalization-init.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc.clientlibs/clientlibs/granite/jquery.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc.clientlibs/clientlibs/granite/utils.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc.clientlibs/clientlibs/granite/jquery/granite.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc.clientlibs/foundation/clientlibs/jquery.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc.clientlibs/foundation/clientlibs/shared.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc.clientlibs/cq/personalization/clientlib/personalization/kernel.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc.clientlibs/cq/personalization/clientlib/personalization/kernel.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc/designs/cdc/clientlibs/responsive/js/foundation.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc/designs/cdc/dmr/libs/base.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc/designs/cdc/dmr/context-banner/clientLib-v2.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc/designs/cdc/dmr/libs/u.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc/designs/cdc/dmr/libs/nmsp.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc/designs/cdc/dmr/libs/log.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc/designs/cdc/dmr/libs/metrics.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc/designs/cdc/dmr/anchor-marquee/triple/clientLib.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅
/etc/designs/cdc/clientlibs/responsive/js/homepage.min.js	✅	5	Script is root-relative same-origin and loaded securely	✅

Content Security Policy

Directive	Pass	Score	Min	Reason	Current	Recommended Baseline	More
default-src	❌	-1	-1	Missing		'none'
script-src	❌	-1	-4	Missing		'self'
style-src	❌	-1	-4	Missing		'self'
font-src	❌	-1	-2	Missing		'self'	🛈
base-uri	❌	-1	-1	Missing		'none'
frame-ancestors	❌	-1	-3	Site vulnerable to clickjacking attacks	.cisco.com .jasper.com .ciscospark.com .ciscolive.com http://cisco.lookbookhq.com https://cisco.lookbookhq.com testcisco.marketing.adobe.com cisco.marketing.adobe.com ciscosales.my.salesforce.com test.salesforce.com zedo.com hindustantimes.com economictimes.indiatimes.com .webex.com .cdw.com .cdwg.com .cdw.ca .meraki-go.com http://ciscopartners.lookbookhq.com https://ciscopartners.lookbookhq.com ciscolearningsystem.com ciscocustomer.lookbookhq.com cisco.lookbookhq.com ccsmedia.com .itquotes.ie dteonline.com ampito-cisco.com arkphire.com .insight.com .ccsmedia.com .ebuyer.com .lambda-tek.com .storm-technologies.com .vohkus.com .bechtle.com .rainfocus.com .broadbandbuyer.com .hardware.com shop.redpontem.com	'none'
form-action	➖	0	0	Missing, but this directive may not be appropriate			🛈
plugin-types	✅	0	0	CSP doesn't contain deprecated directive		application/pdf
object-src	❌	-1	-1	Missing		'none'
child-src	❌	-1	-1	Missing		'none'
frame-src	❌	-1	-1	Missing		'none'
img-src	❌	-1	-1	Missing		https: data:
worker-src	❌	-1	-1	Missing		'none'
manifest-src	❌	-1	-1	Missing		'none'
media-src	❌	-1	-1	Missing		'self'
connect-src	❌	-1	-1	Missing		'self'	🛈
report-uri	❌	-1	-1	Needed for CSP reporting in CSP version 2		https://<your-endpoint>.report-uri.com/r/d/csp/enforce
report-to	➖	-1	0	Needed for CSP reporting in CSP version 3		default

Raw Headers

serverApache

etag"139f9-5bf08f28077b7"

accept-rangesbytes

content-encodinggzip

cdchostwemxweb-publish-prod1-03

x-xss-protection1; mode=block

x-content-type-optionsnosniff

x-frame-optionsSAMEORIGIN

x-test-debugnURL=www.cisco.com,realm=0,isRealm=0,realmDomain=0,shortrealm=0,upgradeTest=1

content-length17963

content-typetext/html

expiresSat, 03 Apr 2021 08:26:38 GMT

cache-controlmax-age=0, no-cache, no-store

pragmano-cache

dateSat, 03 Apr 2021 08:26:38 GMT

connectionkeep-alive

varyAccept-Encoding

link</etc/designs/cdc/dmr/text/base-v2.min.css>; rel=preload; as=style,</etc/designs/cdc/dmr/libs/base.min.css>; rel=preload; as=style,</etc/designs/cdc/clientlibs/responsive/css/cisco-sans.min.css>; rel=preload; as=style,</etc/designs/cdc/clientlibs/responsive/css/responsive.min.css>; rel=preload; as=style,</c/dam/cdc/t/ctm-core.js>; rel=preload; as=script,</c/dam/cdc/j/personalization-init.js>; rel=preload; as=script,</etc/designs/cdc/clientlibs/responsive/js/foundation.min.js>; rel=preload; as=script,</etc/designs/cdc/clientlibs/responsive/js/responsive.min.js>; rel=preload; as=script, </etc/designs/cdc/dmr/libs/base.min.js>; rel=preload; as=script, </etc/designs/cdc/dmr/icons/dm-font-icons/dm-icons.woff2>; rel=preload; as=font/woff2, </c/dam/assets/fonts/cisco-sans/CiscoSansTTRegular.woff2>; rel=preload; as=font/woff2, </c/dam/assets/dmr/button/button-icons.svg>; rel=preload; as=image

content-security-policyupgrade-insecure-requests; frame-ancestors *.cisco.com *.jasper.com *.ciscospark.com *.ciscolive.com http://cisco.lookbookhq.com https://cisco.lookbookhq.com testcisco.marketing.adobe.com cisco.marketing.adobe.com ciscosales.my.salesforce.com test.salesforce.com zedo.com hindustantimes.com economictimes.indiatimes.com *.webex.com *.cdw.com *.cdwg.com *.cdw.ca *.meraki-go.com http://ciscopartners.lookbookhq.com https://ciscopartners.lookbookhq.com ciscolearningsystem.com ciscocustomer.lookbookhq.com cisco.lookbookhq.com ccsmedia.com *.itquotes.ie dteonline.com ampito-cisco.com arkphire.com *.insight.com *.ccsmedia.com *.ebuyer.com *.lambda-tek.com *.storm-technologies.com *.vohkus.com *.bechtle.com *.rainfocus.com *.broadbandbuyer.com *.hardware.com shop.redpontem.com;

strict-transport-securitymax-age=31536000

Test History

Results hidden from public stats are not shown here.

3 years ago

Was this test helpful? Are there things we could improve? If so, please let us know! If you'd like to support it, donations are greatly appreciated.