Web & Email Security Test

← Web Test Home

A-

Test Information

Targetshadowkitsune.net

Resolved To:https://shadowkitsune.net/

IPv4:172.67.130.70
104.21.3.56

Scan ID #:284

Scan Time (UTC):2022-09-04 09:20:29

Response Code (HTTP):301

Response Code (HTTPS):200

Score:86/120

Tests Passed:22/25

Domain Information

Changed:

2022-05-25

Created:

2007-06-24

Expires:

2023-06-24

Related Tests

Overall Scores

Test	Pass	Score	Max	Min	Reason	Recommended Apache Config	More
HTTPS Availability	✅	0	0	-40	Site is available over HTTPS and HTTP redirects to HTTPS with same hostname	`—`
SSL and TLS Protocols	➖	0	5	-20	TLS v1.3 is supported but TLS v1.2 is not supported. Most clients aren't TLS 1.3 capable yet, so you should still support TLS 1.2 for now.	`SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off`	🛈
HSTS (Strict Transport Security)	✅	0	0	-15	Max-age (365 days) is at least 1 year, subdomains are included, and is eligible for preloading	`Header set Strict-Transport-Security max-age=31536000; includeSubDomains; preload`	🛈
Expect Certificate Transparency	❌	-5	0	-5	Site available over HTTPS but no certificate transparency directives	`—`
HTTP Compression	➖	0	1	0	HTTP compression is supported	`SetEnv no-gzip 1 Header set Cache-Control "max-age=0, private, no-cache, no-store, no-transform, must-revalidate"`	🛈
Cache Control	✅	0	0	-5	Cache-Control directives prevent caching	`Header set Cache-Control "no-store, no-cache, must-revalidate"`
Cookies	✅	0	0	-20	N/A (No cookies sent)	`—`
Subresource Integrity	✅	+5	5	-10	N/A (No external JavaScript detected)	`—`	🛈
Content-Security-Policy	❌	-8	0	-24	Content-Security-Policy header sent (see subtable for details)	`Header set Content-Security-Policy " default-src 'none';\ base-uri 'none';\ etc. [see CSP table];\ report-to default;\ report-uri https://[your-endpoint].report-uri.com/r/d/csp/enforce;"`	🛈
Feature-Policy	➖	0	5	0	Feature-Policy header not sent	`Header set Feature-Policy "autoplay 'self';"`
Report-To	✅	+1	1	0	Report-To header sent	`Header set Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://[your-endpoint].report-uri.com/a/d/g"}],"include_subdomains":true}`
Network Error Logging	✅	+1	1	0	NEL header sent	`Header set NEL: {"report_to":"default","max_age":31536000,"include_subdomains":true}`
Referrer Policy	✅	+2	2	-5	Effective Referrer policy is secure but may also prevent referer data from being sent to trusted hosts	`Header always set Referrer-Policy "no-referrer-when-downgrade"`
X-Content-Type-Options	✅	0	0	-10	X-Content-Type-Options header securely set	`Header set X-Content-Type-Options "nosniff"`
X-XSS-Protection	❌	-10	0	-10	X-XSS-Protection header insecurely set	`Header set X-XSS-Protection "1; mode=block"`
X-Frame-Options	✅	0	0	-10	X-Frame-Options header securely set	`Header set X-Frame-Options "DENY"`
X-Powered-By	✅	0	0	-3	X-Powered-By header not sent	`Header unset "X-Powered-By"`
X-AspNet-Version	✅	0	0	-1	X-AspNet-Version header not sent	`—`
X-AspNetMvc-Version	✅	0	0	-1	X-AspNetMvc-Version header not sent	`—`
Server Header	✅	0	0	-2	Server header sent, with general, non-specific value `cloudflare`	`ServerTokens Prod`
Cross-Origin Resource Sharing	✅	0	0	-15	CORS header not implemented	`—`
DNSSEC (DNS Security Extensions)	✅	0	0	-5	Domain is signed with a valid signature	`—`
IPv6 Reachability	✅	0	0	-5	Nameservers and web server available via IPv6	`—`
SPF (Sender Policy Framework)	✅	0	0	-10	SPF record associated with this domain	`—`
DMARC (Domain-based Message Authentication, Reporting, and Confidence)	✅	0	0	-10	Strict (reject) DMARC policy associated with this domain	`—`

Content Security Policy

Directive	Pass	Score	Min	Reason	Current	Recommended Baseline	More
default-src	❌	-1	-1	Default policy too permissive	'	'none'
script-src	➖	0	-4	JavaScript sources restricted but potentially permissively	'	'self'
style-src	➖	0	-4	CSS sources restricted but potentially permissively	'	'self'
font-src	➖	0	-2	Font sources restricted but potentially permissively	'	'self'	🛈
base-uri	❌	-1	-1	Use of the <base> tag should be restricted	'	'none'
frame-ancestors	❌	-1	-3	Site vulnerable to clickjacking attacks	'	'none'
form-action	✅	0	0	Form targets potentially permissive, but this directive may not be appropriate	www.paypal.com		🛈
plugin-types	✅	0	0	CSP doesn't contain deprecated directive		application/pdf
object-src	➖	0	-1	<object>, <embed>, and <applet> sources restricted but potentially permissively	'	'none'
child-src	➖	0	-1	Web workers and nested browsing contexts sources restricted but potentially permissively	'	'none'
frame-src	❌	-1	-1	Missing		'none'
img-src	➖	0	-1	Image sources restricted but potentially permissively	'	https: data:
worker-src	➖	0	-1	Worker, SharedWorker, and ServiceWorker scripts restricted but potentially permissively	'	'none'
manifest-src	❌	-1	-1	Missing		'none'
media-src	❌	-1	-1	Missing		'self'
connect-src	➖	0	-1	Script interface URL (e.g. XHR, WS) sources restricted but potentially permissively	'	'self'	🛈
report-uri	❌	-1	-1	Needed for CSP reporting in CSP version 2		https://<your-endpoint>.report-uri.com/r/d/csp/enforce
report-to	➖	-1	0	Needed for CSP reporting in CSP version 3		default

Raw Headers

dateSun, 04 Sep 2022 09:20:29 GMT

content-typetext/html; charset=UTF-8

content-security-policydefault-src 'none'; script-src 'strict-dynamic' 'nonce-MjU0MWQzZjY4N2IzNWYwZWI5MDNiZTQ5MDQyYzFjM2Q=' 'self' static.shadowkitsune.net; style-src 'nonce-MjU0MWQzZjY4N2IzNWYwZWI5MDNiZTQ5MDQyYzFjM2Q=' 'self' static.shadowkitsune.net; img-src 'self' static.shadowkitsune.net www.paypalobjects.com; font-src 'self' static.shadowkitsune.net; connect-src 'self'; object-src 'none'; worker-src 'self'; child-src 'none'; frame-ancestors 'none'; form-action www.paypal.com; upgrade-insecure-requests; base-uri 'none'

varyAccept-Encoding

strict-transport-securitymax-age=31536000; includeSubDomains; preload

expect-ctmax-age=86400, enforce

expect-staplemax-age=86400; includeSubDomains; preload

permissions-policyaccelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), vertical-scroll=()

x-frame-optionsDENY

x-xss-protection0

x-content-type-optionsnosniff

x-permitted-cross-domain-policiesmaster-only

imagetoolbarno

referrer-policysame-origin

x-dns-prefetch-controloff

upgrade-insecure-requests1

cross-origin-resource-policysame-site

cross-origin-opener-policysame-origin

cross-origin-embedder-policyrequire-corp

cache-controlmax-age=0, no-store, no-cache, must-revalidate

pragmano-cache

cf-cache-statusDYNAMIC

report-to{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RHr6eicQDhlW1tVHEgXjp4D2JYc4vdltB07h0w2rNJhIsiGWmda8Hmjtll%2F0Mg%2FmHG4ZGRDQdW9ocwQACLoVheqzJoQ6iQAI8ezPEg0sRDlgEQGMcEc94OGXMnRaRncgxPIKFQ%3D%3D"}],"group":"cf-nel","max_age":604800}

nel{"success_fraction":0,"report_to":"cf-nel","max_age":604800}

servercloudflare

cf-ray7455a644dd29199d-EWR

content-encodingbr

alt-svch3=":443"; ma=86400, h3-29=":443"; ma=86400

Test History

Results hidden from public stats are not shown here.

2 years ago	86
2 years ago	92
2 years ago	93
2 years ago	98
2 years ago	98
2 years ago	98
2 years ago	98
3 years ago	98
3 years ago	100
3 years ago	98
3 years ago	98
3 years ago	96
3 years ago	95
3 years ago	97
3 years ago	97
3 years ago	97
3 years ago	87
3 years ago	82

Was this test helpful? Are there things we could improve? If so, please let us know! If you'd like to support it, donations are greatly appreciated.