Website Security Test

The ImmuniWeb® Community Edition is collection of free online tools provided by ImmuniWeb SA pursuant to these Terms of Service for small and medium businesses, municipal and local governments, colleges and universities, students and individual software engineers, as well as to other entities, to help them make their applications more secure, reduce their cyber risks and improve their cybersecurity posture, data protection and privacy practices.

Free Use Daily Limits

ImmuniWeb Community Edition provides a free use of the Website Security Test with the following daily limits:

For increased number of daily tests, you can purchase an API key with its increased limits applied to the web interface as well.

Website Security Test Scope and Coverage

The Website Security Test is a free online tool to perform web security and privacy tests:

• Non-intrusive GDPR compliance check related to web application security.
• Non-intrusive PCI DSS compliance check related to web application security.
• Analysis of CMS and its components for outdated versions and publicly-known vulnerabilities.
• Analysis of HTTP methods that may put web server, web application or website visitors at risk.
• Detailed analysis (syntax, validity, trustworthiness) of HTTP security headers:
  • Server
  • Strict-Transport-Security (also known as HSTS)
  • X-Frame-Options
  • X-Powered-By
  • X-Content-Type-Options
  • X-AspNet-Version
  • Content-Security-Policy (also known as CSP)
  • Access-Control-Allow-Origin
  • Content-Security-Policy-Report-Only
  • Referrer-Policy
  • Permissions-Policy
  • Cache-Control
  • Clear-Site-Data
  • X-Permitted-Cross-Domain-Policies
  • Cross-Origin-Resource-Policy (also known as CORP)
  • Cross-Origin-Opener-Policy (also known as COOP)
  • Cross-Origin-Opener-Policy-Report-Only
  • Cross-Origin-Embedder-Policy (also known as COEP)
  • Cross-Origin-Embedder-Policy-Report-Only
  • Reporting-Endpoints
• Analysis of altered, and thus potentially malicious, JS libraries.
• Analysis of domains from which the website fetches content
• Analysis of Subresource Integrity (SRI) of fetched content
• Analysis of ViewState for misconfigurations and security weaknesses.
• Analysis of web application cookies for security flags.
• Verification of DNSSEC implementation to ensure the domain name's security and integrity.
• Detection of WAF presence.

References & How-To's

Acknowledgements

The following security experts helped us improve this free product:

• Alex H.
• Anik, Store Republic
• Doug Nelson
• Freddie Leeman
• Gunnar Schwant
• Ibtihaaj Khurram
• Joseph Guay, Korem Geospatial
• Kelley Hugh, Sompo International

IP Ranges

IP ranges of our outbound servers are:

• 192.175.111.224/27
• 64.15.129.96/27
• 70.38.27.240/28
• 72.55.136.144/28