In view of COVID-19 precaution measures, we remind you that ImmuniWeb Platform allows to easily configure and safely buy online all available solutions in a few clicks.

Total Tests:

Website Security Test

Free online security tool to test your security
  • GDPR & PCI DSS Test
  • CSP & HTTP Headers Check
  • Website CMS Security Test
  • WordPress & Drupal Scanning

Free online security tool to test your security

40,033,412 security tests performed


0 tests running
  tests in 24 hours

Latest Tested Websites

Free API

ImmuniWeb Community Edition provides a free API for the Website Security Test. It shares the number of tests performed via web interface:

Account type Tests per day Monthly subscription
No Account 10 Free
Free Account 20 Free

Premium API

ImmuniWeb Community Edition also provide a premium API for a higher number of tests via API or web interface:

Select package Tests per day Monthly subscription
50 $199
500 $1990
1000 $3980
2500 $7995
?

The number of API requests will be available via web interface under your account

?

The number of API requests will be shared among all users with the same domain name as your account

Total: $1440
Get in touch for details.

Public schools, local governments and non-for-profit organizations may request a free access to the premium API.

API Documentation

Full API Documentation

API Specifications

Field Name Value
Protocol HTTP/HTTPS
Request Type POST
URL https://www.immuniweb.com/websec/api/v1/chsec/[ustamp].html - where "ustamp" is an arbitrary UNIX time-stamp (must be an integer). Such construction is done to prevent caching on client side.

POST Data Specification

Field Name Value
api_key secret token which you submit alongside with the request
tested_url the URL of the domain to be tested.
dnsr "on" means that test results will be hidden, "off" means that test results will be displayed in statistics.
choosen_ip IP address of tested server (if tested domain resolves to multiple addresses).
recheck "false" will use results from cache if the server has been tested within the past 24 hours, "true" will perform a new test without looking at the cache.
token value of the token sent by the server if the tested domain is resolved into several IP addresses.

Example of Transaction Using CURL

New test (not cached)
curl -d "tested_url=twitter.com&choosen_ip=any&dnsr=off&recheck=false" "https://www.immuniweb.com/websec/api/v1/chsec/1451425590.html"
{
"job_id": "2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc",
"status": "test_started",
"status_id": 1,
"message": "Test has started"
}
curl -d "job_id=2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc" "https://www.immuniweb.com/websec/api/v1/get_result/1451425590.html"
{
"job_id": "2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc",
"status": "in_progress",
"status_id": 2,
"message": "Your test is in progress"
}
New test (cached)
curl -d "tested_url=twitter.com&choosen_ip=any&dnsr=off&recheck=false" "https://www.immuniweb.com/websec/api/v1/chsec/1451425590.html"
{
"test_id": "c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004",
"status": "test_cached",
"status_id": 3,
"message": "Test is cached"
}
curl -d "id=c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004" "https://www.immuniweb.com/websec/api/v1/get_result/1451425590.html"
{ ... }
Example with error
curl -d "tested_url=0.0.0.0&choosen_ip=any&dnsr=off&recheck=false" "https://www.immuniweb.com/websec/api/v1/chsec/1451425590.html"
{
"error": "Domain name 0.0.0.0 was resolved in an invalid IP address",
"error_name": "invalid_ip_resolved" "error_id": 16
}
Download PDF
curl -d "api_key=your_api_key" "https://www.immuniweb.com/websec/gen_pdf/test_id/" > report.pdf

Example of Server Response

         

ImmuniWeb Community Edition - Website Security Test

The Website Security Test is a free online tool to perform web security and privacy tests:

  • Non-intrusive GDPR compliance check related to web application security.
  • Non-intrusive PCI DSS compliance check related to web application security.
  • Analysis of CMS and its components for outdated versions and publicly-known vulnerabilities.
  • Analysis of HTTP methods that may put web server, web application or website visitors at risk.
  • Detailed analysis (syntax, validity, trustworthiness) of HTTP security headers:
    • Server
    • Strict-Transport-Security (also known as HSTS)
    • X-Frame-Options
    • X-Powered-By
    • X-Content-Type-Options
    • X-XSS-Protection
    • X-AspNet-Version
    • Content-Security-Policy (also known as CSP)
    • Access-Control-Allow-Origin
    • Content-Security-Policy-Report-Only
    • Referrer-Policy
    • Permissions-Policy
  • Analysis of altered, and thus potentially malicious, JS libraries.
  • Analysis of ViewState for misconfigurations and security weaknesses.
  • Analysis of web application cookies for security flags.
  • Detection of domain’s presence in various Blacklists.
  • Detection of Cryptojacking within JS code.
  • Detection of WAF presence.

​References & How-To's

IP Ranges

IP ranges of our outbound servers are:

  • 192.175.111.224/27
  • 64.15.129.96/27
  • 70.38.27.240/28
  • 72.55.136.144/28
  • 72.55.136.192/28
  • 79.141.85.24/29

Scoring Methodology

- At the beginning of the test, the score is set to 100
- Points are added for good and reliable configuration of your website and web server
- Points are deducted for insecure, incomplete or unreliable configuration of your website or web server
- Total points for all detected CMS(s) and CMS components will not go below -50 or above +50
- Total points for all detected JS components will not go below -20 or above +20
- Total points for all HTTP methods and CSP will not go below -30 or above +30
- Total points for all cookies will not go below -10 or above +10
- No website may score above "C" if a vulnerable software is found
- No website may score above "B+" if CMS is not up2date
- No website may score below "C" if its CMS and CMS components have no known vulnerabilities
Grade Score
A+ Score greater than 100
A Score between 90 and 99
A- Score between 80 and 89
Grade Score
B+ Score between 70 and 79
B Score between 60 and 69
B- Score between 50 and 59
Grade Score
C+ Score between 35 and 49
C Score between 20 and 34
F Score lower than 20

Website Security and Compliance

Description Score
WAF is present +20
WAF is missing -5
CMS is up2date +20
CMS is not up2date -15
CMS is not up2date and is vulnerable -50
CMS component is up2date +15
CMS component is not up2date -10
CMS component is not up2date and is vulnerable -30
JS component is up2date +10
JS component is not up2date -5
JS component is not up2date and is vulnerable -30
Server supports Custom HTTP methods -10
Server supports TRACE, TRACK or CONNECT HTTP method -10
A cookie does not have the HttpOnly flag set -5
A cookie has the Secure flag set +5
A cookie has the SameSite flag set to Lax +5
A cookie has the SameSite flag set to Strict +5
A cookie does not have the SameSite flag set -1
A cookie name has the "__Secure-" prefix and its prerequisites +5
A cookie name has the "__Host-" prefix and its prerequisites +5
Web server directory listing enabled -10
The website is using resources from third-party domains that cannot be resolved -30
Cryptojacking malware detected -50

HTTP Security Headers and Content Security Policy Scoring

Header Name Description Over HTTP Over HTTPS
Expect-CT Header is present and valid 0 +25
Expect-CT Header is missing or wrongly configured 0 -20
Permissions-Policy Header is present and valid +15 +15
Permissions-Policy Header is present and wrongly configured -10 -10
Access-Control-Allow-Origin Header is present and valid +5 +5
Strict-Transport-Security Header is present, valid and enforced 0 +25
Strict-Transport-Security Header is missing 0 -20
Strict-Transport-Security Header has a duration below 6 months 0 -10
Strict-Transport-Security Server certificate is untrusted 0 -1
X-Frame-Options Header is present and valid +15 +15
X-Frame-Options Header value is ALLOWALL -10 -10
X-XSS-Protection Header is present and valid +20 +20
X-XSS-Protection Header value is 0 (disabled) -10 -10
X-XSS-Protection Header is missing -10 -10
X-Content-Type-Options Header is present and valid +15 +15
X-Content-Type-Options Header is missing -10 -10
Content-Security-Policy Header is present +20 +20
Content-Security-Policy Header is missing -20 -20
Content-Security-Policy Header has default-src set to 'none' or 'self' +5 +5
Content-Security-Policy Header contains wildcard in default-src directive -10 -10
Content-Security-Policy Header contains wildcard in any other directive -10 -10
Content-Security-Policy Header has frame-ancestors directive set and restricting sources and X-Frame-Options header is not set +10 +10
Content-Security-Policy Header has frame-ancestors directive set with wildcard and X-Frame-Options header is not set +5 +5
Content-Security-Policy Header has frame-ancestors directive set and consistent with X-Frame-Options header value +5 +5
Content-Security-Policy Header has frame-ancestors directive set and inconsistent with X-Frame-Options header value -5 -5
Content-Security-Policy Header enables XSS blocking and X-XSS-Protection header is not set +15 +15
Content-Security-Policy Header enables XSS filtering and X-XSS-Protection header is not set +15 +15
Content-Security-Policy Header has the reflected-xss directive set and consistent with X-XSS-Protection header value +5 +5
Content-Security-Policy Header contains the Reflected XSS directive with a different value than X-XSS-Protection header -5 -5
Content-Security-Policy Header has the upgrade-insecure-requests or the block-all-mixed-content directive set +5 +5
Server Header discloses server's software version -5 -5
X-Powered-By Header discloses server's software version -5 -5
X-AspNet-Version Header discloses server's software version -5 -5
Interactive Web Security Live World Map
Hostname
Grade
Compliance
Date/Time ()
Server location
Click to view full test results
View in fullscreen
Current time:
Latest update:

Latest Highest Score:

Latest Lowest Score:

Recent Website Security Tests

Web Server Security Research

State of Cybersecurity Industry Exposure at Dark Web

State of Cybersecurity Industry Exposure at Dark Web
  • 97%
    of the companies have data leaks exposed on the Dark Web
  • 25%
    of the leaks, being 160,529 leaks, are of high or critical risk levels
  • 29%
    of the stolen passwords are weak, 161 companies reuse passwords
  • 63%
    of the companies have security or compliance issues on their websites

State of Cybersecurity at Top 100 Global Airports

State of Stolen Credentials in the Dark Web from Fortune 500
  • 100%
    of the mobile apps contain at least 2 vulnerabilities
  • 97%
    of the websites contain outdated web software
  • 87%
    of the airports have data leaks on public code repositories
  • 66%
    of the airports have stolen credentials sold on the DarkWeb

State of Stolen Credentials in the Dark Web from Fortune 500

State of Stolen Credentials in the Dark Web from Fortune 500 Companies
  • 21M
    credentials are available in the Dark Web
  • 16M
    credentials compromised during the last year
  • 95%
    of stolen credentials are accessible in plaintext
  • 36%
    of passwords are bruteforceable in a minute

State of Application Security at S&P Global World's 100 Banks

97% of the World's Largest Banks are Vulnerable to Web and Mobile Attacks
  • 85%
    of e-banking web applications failed GDPR compliance test
  • 49%
    of e-banking web applications failed PCI DSS compliance test
  • 92%
    of mobile banking applications contain at least 1 medium-risk security vulnerability
  • 100%
    of the banks have security vulnerabilities or issues related to forgotten subdomains

State of Application Security at FT 500 Largest Companies

FT500 Global Companies
  • 70%
    of FT 500 can find access to some of their websites being sold on Dark Web
  • 92%
    of external web applications have exploitable security flaws or weaknesses
  • 19%
    of the companies have external unprotected cloud storage
  • 2%
    of external web applications are properly protected with a WAF
AI Products Ask a Question