Web & Email Security Test
← Web Test Home
F
Test Information
Targetwww.thehill.com
Resolved To:https://thehill.com/
IPv4:151.101.193.91
151.101.129.91
151.101.65.91
151.101.1.91
151.101.129.91
151.101.65.91
151.101.1.91
Scan ID #:28
Scan Time (UTC):2020-08-27 16:15:47
Response Code (HTTP):301
Response Code (HTTPS):200
Score:13/120
Tests Passed:15/25
Related Tests
Overall Scores
| Test | Pass | Score | Max | Min | Reason | Recommended Apache Config | More |
|---|---|---|---|---|---|---|---|
| HTTPS Availability | ✅ | 0 | 0 | -40 | Site is available over HTTPS and HTTP redirects to HTTPS with same hostname | — | |
| SSL and TLS Protocols | ✅ | +5 | 5 | -20 | TLS v1.2 and TLS v1.3 are supported | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | 🛈 |
| HSTS (Strict Transport Security) | ❌ | -15 | 0 | -15 | HSTS header sent, but max-age (0 days) is insufficiently secure or not present | Header set Strict-Transport-Security max-age=31536000; includeSubDomains; preload | 🛈 |
| Expect Certificate Transparency | ❌ | -5 | 0 | -5 | Site available over HTTPS but no certificate transparency directives | — | |
| HTTP Compression | ➖ | 0 | 1 | 0 | HTTP compression is supported | SetEnv no-gzip 1 | 🛈 |
| Cache Control | ❌ | -5 | 0 | -5 | Cache-Control directives are not adequate for sensitive data | Header set Cache-Control "no-store, no-cache, must-revalidate" | |
| Cookies | ✅ | 0 | 0 | -20 | N/A (No cookies sent) | — | |
| Subresource Integrity | ❌ | -5 | 5 | -10 | Scripts loaded (see subtable for details) | | 🛈 |
| Content-Security-Policy | ❌ | -24 | 0 | -24 | Content-Security-Policy header not sent | Header set Content-Security-Policy " | 🛈 |
| Feature-Policy | ➖ | 0 | 5 | 0 | Feature-Policy header not sent | Header set Feature-Policy "autoplay 'self';" | |
| Report-To | ➖ | 0 | 1 | 0 | No Report-To header sent | Header set Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"https://[your-endpoint].report-uri.com/a/d/g"}],"include_subdomains":true} | |
| Network Error Logging | ➖ | 0 | 1 | 0 | N/A (Requires Report-To header) | Header set NEL: {"report_to":"default","max_age":31536000,"include_subdomains":true} | |
| Referrer Policy | ➖ | 0 | 2 | -5 | Referrer-Policy header not sent | Header always set Referrer-Policy "no-referrer-when-downgrade" | |
| X-Content-Type-Options | ✅ | 0 | 0 | -10 | X-Content-Type-Options header securely set | Header set X-Content-Type-Options "nosniff" | |
| X-XSS-Protection | ❌ | -10 | 0 | -10 | X-XSS-Protection header not implemented | Header set X-XSS-Protection "1; mode=block" | |
| X-Frame-Options | ✅ | 0 | 0 | -10 | X-Frame-Options header securely set | Header set X-Frame-Options "DENY" | |
| X-Powered-By | ❌ | -3 | 0 | -3 | X-Powered-By header sent, with value PHP/7.3.19 | Header unset "X-Powered-By" | |
| X-AspNet-Version | ✅ | 0 | 0 | -1 | X-AspNet-Version header not sent | — | |
| X-AspNetMvc-Version | ✅ | 0 | 0 | -1 | X-AspNetMvc-Version header not sent | — | |
| Server Header | ✅ | 0 | 0 | -2 | Server header sent, with general, non-specific value nginx | ServerTokens Prod | |
| Cross-Origin Resource Sharing | ❌ | -15 | 0 | -15 | CORS header makes content visible with wide scope | — | |
| DNSSEC (DNS Security Extensions) | ❌ | -5 | 0 | -5 | Domain is not signed with a valid signature | — | |
| IPv6 Reachability | ❌ | -5 | 0 | -5 | Nameservers available via IPv6, but web server is not | — | |
| SPF (Sender Policy Framework) | ✅ | 0 | 0 | -10 | SPF record associated with this domain | — | |
| DMARC (Domain-based Message Authentication, Reporting, and Confidence) | ✅ | 0 | 0 | -10 | Semi-strict (quarantine) DMARC policy associated with this domain | — |
Subresource Integrity (External JavaScript)
Maximum score for any and all scripts is 5 and minimum score for any and all scripts is -10.
| Script | Pass | Score | Reason | HTTPS |
|---|---|---|---|---|
| /sites/all/modules/thehill/thehill_header_bidding/js/prebid_3_16_0.js | ✅ | 5 | Script is root-relative same-origin and loaded securely | ✅ |
| //www.googletagservices.com/tag/js/gpt.js | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
| https://ccpa.sp-prod.net/ccpa.js | ❌ | -5 | Script is external but does not use SRI | ✅ |
| https://z.moatads.com/newscomprebidheader135900089283/yi.js | ❌ | -5 | Script is external but does not use SRI | ✅ |
| //thehill.com/sites/default/files/js/js_EUEhXWz9sYHRmO0bb7KrpJWOmASRCgalw3yhSaU7VGg.js | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
| //thehill.com/sites/default/files/js/js_s3L_uC35AiN5EGYY533su-jccnLRp2aKpOnjgPLbo34.js | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
| //thehill.com/sites/default/files/js/js_CU3-wpoRjXqQUzVH_fXkSKR_o43ZvBVuw8S_WXUsfTY.js | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
| //thehill.com/sites/default/files/js/js_UlgQwqBztlTNwD8PYNXSwCVbJHJOJiHEsF-8ZKBt8yE.js | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
| //thehill.com/sites/default/files/js/js_e-yxM1kseLRira1W37j0zXPOXLY2bv2cLfu80UiNhRk.js | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
| //thehill.com/sites/default/files/js/js_2SUL8v-ADjMAY3ItWnTPwqYGbjhTft_U1PW1Dzbf6Vc.js | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
| //s7.addthis.com/js/300/addthis_widget.js#pubid=ra-4e8f5d7e1bc8befe | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
| //s.ntv.io/serve/load.js | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
| //platform.twitter.com/widgets.js | ✅ | 5 | Script is protocol-relative and loaded securely | ➖ |
Raw Headers
connectionkeep-alive
content-length47103
content-typetext/html; charset=utf-8
servernginx
x-powered-byPHP/7.3.19
expiresSun, 19 Nov 1978 05:00:00 GMT
x-content-type-optionsnosniff
x-drupal-themethehill
access-control-allow-origin*
access-control-allow-methodsGET
content-languageen
x-frame-optionsSAMEORIGIN
cache-controlpublic, max-age=30
x-drupal-amp1
x-drupal-ffy3xIEBSgKh9NFbbVmjuX4O8E+RKWtHT5lmPM4BRdnZc=!EWR!cache-ewr18121-EWR, y3xIEBSgKh9NFbbVmjuX4O8E+RKWtHT5lmPM4BRdnZc=!EWR!cache-ewr18130-EWR, y3xIEBSgKh9NFbbVmjuX4O8E+RKWtHT5lmPM4BRdnZc=!BWI!cache-bwi5124-BWI, y3xIEBSgKh9NFbbVmjuX4O8E+RKWtHT5lmPM4BRdnZc=!BWI!cache-bwi5134-BWI
x-drupal-ua-devicepc
x-drupal-devicedesktop
x-drupal-mobileNo
x-ua-compatibleIE=edge,chrome=1
x-generatorDrupal 7 (http://drupal.org)
link<https://thehill.com/>; rel="canonical",<https://thehill.com/>; rel="shortlink"
content-encodinggzip
via1.1 varnish
via1.1 varnish
accept-rangesbytes
dateThu, 27 Aug 2020 16:15:46 GMT
age38
x-served-bycache-bwi5139-BWI, cache-dfw18658-DFW
x-cacheHIT, HIT
x-cache-hits1, 1
x-timerS1598544947.767408,VS0,VE1
varyAccept-Encoding, User-Agent
strict-transport-securitymax-age=900
Test History
Results hidden from public stats are not shown here.
| 3 years ago | 12 |
Was this test helpful? Are there things we could improve? If so, please let us know! If you'd like to support it, donations are greatly appreciated.