Website Security Test

 GDPR & PCI DSS Test
 CSP & HTTP Headers Check
 Website CMS Security Test
 WordPress & Drupal Scanning
Free online security tool to test your security
 
  •  GDPR & PCI DSS Test
  •  CSP & HTTP Headers Check
  •  Website CMS Security Test
  •  WordPress & Drupal Scanning
Free online security tool to test your security
security tests performed

0 tests running
  tests today

Latest Tested Servers

Free API

ImmuniWeb provides you with a free API to test your web server for security related configuration. To assure high speed of service and availability for everyone, the free API allows 50 requests in total per 24 hours, from one IP address.

In addition, there are different tiers of user, with each providing a different level of usage with the API.


License notice: The API is provided for free both for private and commercial purposes. If you use the API for publicly available service (commercial or not) a link to ImmuniWeb's Free Website Security Test is mandatory.

Commercial API

ImmuniWeb provides a commercial access to the Website Security Test API without restrictions. Tailored for your needs, restrictions of the free API can be partially or entirely removed. Prices start at 200 USD per month.


Non-profit, research and academic institutions may request commercial API for free. Please send your API usage requirements to for additional information.

API Documentation and How-To

Full API Documentation

API Specifications

Field Name Value
Protocol HTTP/HTTPS
Request Type POST
URL https://www.immuniweb.com/websec/api/v1/chsec/[ustamp].html - where "ustamp" is an arbitrary UNIX time-stamp (must be an integer). Such construction is done to prevent caching on client side.

POST Data Specification

Field Name Value
api_key secret token which you submit alongside with the request
tested_url the URL of the domain to be tested.
dnsr "on" means that test results will be hidden, "off" means that test results will be displayed in statistics.
choosen_ip IP address of tested server (if tested domain resolves to multiple addresses).
recheck "false" will use results from cache if the server has been tested within the past 24 hours, "true" will perform a new test without looking at the cache.
follow_redirects "true" will allow the following of redirections.
token value of the token sent by the server if the tested domain is resolved into several IP addresses.

Example of Transaction Using CURL

# New test (not cached) $ curl -XPOST -d 'tested_url=twitter.com&choosen_ip=any&dnsr=off&recheck=false&follow_redirects=true&verbosity=1' 'https://www.immuniweb.com/websec/api/v1/chsec/1451425590.html'

{"debug":true,"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"test_started","status_id":1,"message":"Test has started"}

# You need to keep calling this until test is finished $ curl -XPOST -d 'job_id=2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc' 'https://www.immuniweb.com/websec/api/v1/get_result/1451425590.html'

{"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"in_progress","status_id":2,"eta":2,"message":"Your test is in progress"}

# New test (cached) $ curl -XPOST -d 'tested_url=twitter.com&choosen_ip=any&dnsr=off&recheck=false&follow_redirects=true&verbosity=1' 'https://www.immuniweb.com/websec/api/v1/chsec/1451425590.html'

{"test_id":"c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004","status":"test_cached","status_id":3,"message":"Test is cached"}

$ curl -XPOST -d 'id=c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004' 'https://www.immuniweb.com/websec/api/v1/get_result/1451425590.html'

# Example with error $ curl -XPOST -d 'tested_url=0.0.0.0&choosen_ip=any&dnsr=off&recheck=false&follow_redirects=true&verbosity=1' 'https://www.immuniweb.com/websec/api/v1/chsec/1451425590.html'

{"error":"The domain name does not exist","error_id":9}

Example of Server Response

                     

About the Service

Website Security Test is a free product available online, provided and operated by ImmuniWeb.


Website Security Test performs the following security and privacy checks:

Non-intrusive GDPR compliance check related to web application security.

Non-intrusive PCI DSS compliance check related to web application security.

Analysis of CMS and its components for outdated versions and publicly-known vulnerabilities.

Analysis of HTTP methods that may put web server, web application or website visitors at risk.

Detailed analysis (syntax, validity, trustworthiness) of HTTP security headers:

Server
Strict-Transport-Security (also known as HSTS)
X-Frame-Options
X-Powered-By
X-Content-Type-Options
X-XSS-Protection
X-AspNet-Version
Content-Security-Policy (also known as CSP)
Public-Key-Pins (also known as HPKP)
Access-Control-Allow-Origin
Content-Security-Policy-Report-Only
Public-Key-Pins-Report-Only
Expect-CT
Expect-Staple
Referrer-Policy
Feature-Policy

Analysis of altered, and thus potentially malicious, JS libraries.

Analysis of ViewState for misconfigurations and security weaknesses.

Analysis of web application cookies for security flags.

Detection of domain’s presence in various Blacklists.

Detection of Cryptojacking within JS code.

Detection of WAF presence.

​References & How-To's

IP Ranges

IP ranges of our outbound servers are:

  • 192.175.111.224/27
  • 64.15.129.96/27
  • 70.38.27.240/28
  • 72.55.136.144/28
  • 72.55.136.192/28

Scoring Methodology

- At the beginning of the test, the score is set to 100
- Points are added for good and reliable configuration of your website and web server
- Points are deducted for insecure, incomplete or unreliable configuration of your website or web server
- Total points for all detected CMS(s) and CMS components will not go below -50 or above +50
- Total points for all detected JS components will not go below -20 or above +20
- Total points for all HTTP methods and CSP will not go below -30 or above +30
- Total points for all cookies will not go below -10 or above +10
- No website may score above "C" if a vulnerable software is found
- No website may score above "B+" if CMS is not up2date
- No website may score below "C" if its CMS and CMS components have no known vulnerabilities
Grade Score
A+ Score greater than 100
A Score between 90 and 99
A- Score between 80 and 89
Grade Score
B+ Score between 70 and 79
B Score between 60 and 69
B- Score between 50 and 59
Grade Score
C+ Score between 35 and 49
C Score between 20 and 34
F Score lower than 20

Website Security and Compliance

Description Score
WAF is present +20
WAF is missing -5
CMS is up2date +20
CMS is not up2date -15
CMS is not up2date and is vulnerable -50
CMS component is up2date +15
CMS component is not up2date -10
CMS component is not up2date and is vulnerable -30
JS component is up2date +10
JS component is not up2date -5
JS component is not up2date and is vulnerable -30
Server supports Custom HTTP methods -10
Server supports TRACE, TRACK or CONNECT HTTP method -10
A cookie does not have the HttpOnly flag set -5
A cookie has the Secure flag set +5
A cookie has the SameSite flag set to Lax +5
A cookie has the SameSite flag set to Strict +5
A cookie does not have the SameSite flag set -1
A cookie name has the "__Secure-" prefix and its prerequisites +5
A cookie name has the "__Host-" prefix and its prerequisites +5
Web server directory listing enabled -10
Cryptojacking malware detected -50

HTTP Security Headers and Content Security Policy Scoring

Header Name Description Over HTTP Over HTTPS
Expect-CT Header is present and valid 0 +25
Expect-CT Header is missing or wrongly configured 0 -20
Feature-Policy Header is present and valid +15 +15
Feature-Policy Header is missing or wrongly configured -10 -10
Access-Control-Allow-Origin Header is present and valid +5 +5
Strict-Transport-Security Header is present, valid and enforced 0 +25
Strict-Transport-Security Header is missing 0 -20
Strict-Transport-Security Header has a duration below 6 months 0 -10
Strict-Transport-Security Server certificate is untrusted 0 -1
X-Frame-Options Header is present and valid +15 +15
X-Frame-Options Header value is ALLOWALL -10 -10
X-XSS-Protection Header is present and valid +20 +20
X-XSS-Protection Header value is 0 (disabled) -10 -10
X-XSS-Protection Header is missing -10 -10
X-Content-Type-Options Header is present and valid +15 +15
X-Content-Type-Options Header is missing -10 -10
Content-Security-Policy Header is present +20 +20
Content-Security-Policy Header is missing -20 -20
Content-Security-Policy Header has default-src set to 'none' or 'self' +5 +5
Content-Security-Policy Header contains wildcard in default-src directive -10 -10
Content-Security-Policy Header contains wildcard in any other directive -10 -10
Content-Security-Policy Header has frame-ancestors directive set and restricting sources and X-Frame-Options header is not set +10 +10
Content-Security-Policy Header has frame-ancestors directive set with wildcard and X-Frame-Options header is not set +5 +5
Content-Security-Policy Header has frame-ancestors directive set and consistent with X-Frame-Options header value +5 +5
Content-Security-Policy Header has frame-ancestors directive set and inconsistent with X-Frame-Options header value -5 -5
Content-Security-Policy Header enables XSS blocking and X-XSS-Protection header is not set +15 +15
Content-Security-Policy Header enables XSS filtering and X-XSS-Protection header is not set +15 +15
Content-Security-Policy Header has the reflected-xss directive set and consistent with X-XSS-Protection header value +5 +5
Content-Security-Policy Header contains the Reflected XSS directive with a different value than X-XSS-Protection header -5 -5
Content-Security-Policy Header has the upgrade-insecure-requests or the block-all-mixed-content directive set +5 +5
Server Header discloses server's software version -5 -5
X-Powered-By Header discloses server's software version -5 -5
X-AspNet-Version Header discloses server's software version -5 -5
Interactive Web Security Live World Map
Hostname
Grade
Compliance
Date/Time ()
Server location
Click to view full test results
View in fullscreen
Current time:
Latest update:

Latest Highest Score:

Latest Lowest Score:

Recent Website Security Tests: Highest Scores

  • Highest Scores
  • Lowest Scores
The most secure websites and web servers recently tested:

Try Other ImmuniWeb® Free Products

Quick Start
Products
Free Trial
Newsletter