Community Edition
TotalCommunity Tests
269,192,294
This Week
504,975
Today
140,474

Website Security Test

  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Free online security tool to test your security
101,543,771 applications tested

Scoring Methodology

  • At the beginning of the test, the score is set to 100
  • Points are added for good and reliable configuration of your website and web server
  • Points are deducted for insecure, incomplete or unreliable configuration of your website or web server
  • Total points for all detected CMS(s) and CMS components will not go below -50 or above +50
  • Total points for all detected JS components will not go below -20 or above +20
  • Total points for all HTTP methods and CSP will not go below -30 or above +30
  • Total points for all cookies will not go below -10 or above +10
  • No website may score above "C" if a vulnerable software is found
  • No website may score above "B+" if CMS is not up2date
  • No website may score below "C" if its CMS and CMS components have no known vulnerabilities
  • Server gets an "N" if a tested port is closed or HTTP status code is not 200, 301, 302, 303, 307 or 308
GradeScore
A+
Score greater than 100
A
Score between 90 and 99
A-
Score between 80 and 89
GradeScore
B+
Score between 70 and 79
B
Score between 60 and 69
B-
Score between 50 and 59
GradeScore
C+
Score between 35 and 49
C
Score between 20 and 34
F
Score lower than 20

Website Security and Compliance

DescriptionScore
Description
WAF is present
+20
Description
WAF is missing
-5
Description
CMS is up2date
+20
Description
CMS is not up2date
-15
Description
CMS is not up2date and is vulnerable
-50
Description
CMS component is up2date
+15
Description
CMS component is not up2date
-10
Description
CMS component is not up2date and is vulnerable
-30
Description
JS component is up2date
+10
Description
JS component is not up2date
-5
Description
JS component is not up2date and is vulnerable
-30
Description
Server supports Custom HTTP methods
-10
Description
Server supports TRACE, TRACK or CONNECT HTTP method
-10
Description
A cookie does not have the HttpOnly flag set
-5
Description
A cookie has the Secure flag set
+5
Description
A cookie has the SameSite flag set to Lax
+5
Description
A cookie has the SameSite flag set to Strict
+5
Description
A cookie does not have the SameSite flag set
-1
Description
A cookie name has the "__Secure-" prefix and its prerequisites
+5
Description
A cookie name has the "__Host-" prefix and its prerequisites
+5
Description
Web server directory listing enabled
-10
Description
The website is using resources from third-party domains that cannot be resolved
-30
Description
Cryptojacking malware detected
-50

HTTP Security Headers and Content Security Policy Scoring

Header NameDescriptionOver HTTPOver HTTPS
Permissions-Policy
Description
Header is present and valid
+15+15
Permissions-Policy
Description
Header is present and wrongly configured
-10-10
Expect-CT
Description
Header is wrongly configured
-20
Access-Control-Allow-Origin
Description
Header is present and valid
+5+5
Strict-Transport-Security
Description
Header is present, valid and enforced
0+25
Strict-Transport-Security
Description
Header is missing
0-20
Strict-Transport-Security
Description
Header has a duration below 6 months
0-10
Strict-Transport-Security
Description
Server certificate is untrusted
0-1
X-Frame-Options
Description
Header is present and valid
+15+15
X-Frame-Options
Description
Header value is ALLOWALL
-10-10
X-XSS-Protection
Description
Header is present and valid
+20+20
X-XSS-Protection
Description
Header value is 0 (disabled)
-10-10
X-XSS-Protection
Description
Header is missing
-10-10
X-Content-Type-Options
Description
Header is present and valid
+15+15
X-Content-Type-Options
Description
Header is missing
-10-10
Content-Security-Policy
Description
Header is present
+20+20
Content-Security-Policy
Description
Header is missing
-20-20
Content-Security-Policy
Description
Header has default-src set to 'none' or 'self'
+5+5
Content-Security-Policy
Description
Header contains wildcard in default-src directive
-10-10
Content-Security-Policy
Description
Header contains wildcard in any other directive
-10-10
Content-Security-Policy
Description
Header has frame-ancestors directive set and restricting sources and X-Frame-Options header is not set
+10+10
Content-Security-Policy
Description
Header has frame-ancestors directive set with wildcard and X-Frame-Options header is not set
+5+5
Content-Security-Policy
Description
Header has frame-ancestors directive set and consistent with X-Frame-Options header value
+5+5
Content-Security-Policy
Description
Header has frame-ancestors directive set and inconsistent with X-Frame-Options header value
-5-5
Content-Security-Policy
Description
Header enables XSS blocking and X-XSS-Protection header is not set
+15+15
Content-Security-Policy
Description
Header enables XSS filtering and X-XSS-Protection header is not set
+15+15
Content-Security-Policy
Description
Header has the reflected-xss directive set and consistent with X-XSS-Protection header value
+5+5
Content-Security-Policy
Description
Header contains the Reflected XSS directive with a different value than X-XSS-Protection header
-5-5
Content-Security-Policy
Description
Header has the upgrade-insecure-requests or the block-all-mixed-content directive set
+5+5
Server
Description
Header discloses server's software version
-5-5
X-Powered-By
Description
Header discloses server's software version
-5-5
X-AspNet-Version
Description
Header discloses server's software version
-5-5