https://www.immuniweb.com/websec/api/v1/chsec/[ustamp].html - where "ustamp" is an arbitrary UNIX time-stamp (must be an integer). Such construction is done to prevent caching on client side.
POST Data Specification
Field Name
Value
api_key
secret token which you submit alongside with the request
tested_url
the URL of the domain to be tested.
dnsr
"on" means that test results will be hidden, "off" means that test results will be displayed in statistics.
choosen_ip
IP address of tested server (if tested domain resolves to multiple addresses).
recheck
"false" will use results from cache if the server has been tested within the past 24 hours, "true" will perform a new test without looking at the cache.
token
value of the token sent by the server if the tested domain is resolved into several IP addresses.
{ "job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc", "status":"in_progress", "status_id":2, "message":"Your test is in progress" }
- At the beginning of the test, the score is set to 100
- Points are added for good and reliable configuration of your website and web server
- Points are deducted for insecure, incomplete or unreliable configuration of your website or web server
- Total points for all detected CMS(s) and CMS components will not go below -50 or above +50
- Total points for all detected JS components will not go below -20 or above +20
- Total points for all HTTP methods and CSP will not go below -30 or above +30
- Total points for all cookies will not go below -10 or above +10
- No website may score above "C" if a vulnerable software is found
- No website may score above "B+" if CMS is not up2date
- No website may score below "C" if its CMS and CMS components have no known vulnerabilities
- Server gets an "N" if a tested port is closed or HTTP status code is not 200, 301, 302, 303, 307 or 308
Grade
Score
A+
Score greater than 100
A
Score between 90 and 99
A-
Score between 80 and 89
Grade
Score
B+
Score between 70 and 79
B
Score between 60 and 69
B-
Score between 50 and 59
Grade
Score
C+
Score between 35 and 49
C
Score between 20 and 34
F
Score lower than 20
Website Security and Compliance
Description
Score
WAF is present
+20
WAF is missing
-5
CMS is up2date
+20
CMS is not up2date
-15
CMS is not up2date and is vulnerable
-50
CMS component is up2date
+15
CMS component is not up2date
-10
CMS component is not up2date and is vulnerable
-30
JS component is up2date
+10
JS component is not up2date
-5
JS component is not up2date and is vulnerable
-30
Server supports Custom HTTP methods
-10
Server supports TRACE, TRACK or CONNECT HTTP method
-10
A cookie does not have the HttpOnly flag set
-5
A cookie has the Secure flag set
+5
A cookie has the SameSite flag set to Lax
+5
A cookie has the SameSite flag set to Strict
+5
A cookie does not have the SameSite flag set
-1
A cookie name has the "__Secure-" prefix and its prerequisites
+5
A cookie name has the "__Host-" prefix and its prerequisites
+5
Web server directory listing enabled
-10
The website is using resources from third-party domains that cannot be resolved
-30
Cryptojacking malware detected
-50
HTTP Security Headers and Content Security Policy Scoring
Header Name
Description
Over HTTP
Over HTTPS
Permissions-Policy
Header is present and valid
+15
+15
Permissions-Policy
Header is present and wrongly configured
-10
-10
Expect-CT
Header is wrongly configured
-20
Access-Control-Allow-Origin
Header is present and valid
+5
+5
Strict-Transport-Security
Header is present, valid and enforced
0
+25
Strict-Transport-Security
Header is missing
0
-20
Strict-Transport-Security
Header has a duration below 6 months
0
-10
Strict-Transport-Security
Server certificate is untrusted
0
-1
X-Frame-Options
Header is present and valid
+15
+15
X-Frame-Options
Header value is ALLOWALL
-10
-10
X-XSS-Protection
Header is present and valid
+20
+20
X-XSS-Protection
Header value is 0 (disabled)
-10
-10
X-XSS-Protection
Header is missing
-10
-10
X-Content-Type-Options
Header is present and valid
+15
+15
X-Content-Type-Options
Header is missing
-10
-10
Content-Security-Policy
Header is present
+20
+20
Content-Security-Policy
Header is missing
-20
-20
Content-Security-Policy
Header has default-src set to 'none' or 'self'
+5
+5
Content-Security-Policy
Header contains wildcard in default-src directive
-10
-10
Content-Security-Policy
Header contains wildcard in any other directive
-10
-10
Content-Security-Policy
Header has frame-ancestors directive set and restricting sources and X-Frame-Options header is not set
+10
+10
Content-Security-Policy
Header has frame-ancestors directive set with wildcard and X-Frame-Options header is not set
+5
+5
Content-Security-Policy
Header has frame-ancestors directive set and consistent with X-Frame-Options header value
+5
+5
Content-Security-Policy
Header has frame-ancestors directive set and inconsistent with X-Frame-Options header value
-5
-5
Content-Security-Policy
Header enables XSS blocking and X-XSS-Protection header is not set
+15
+15
Content-Security-Policy
Header enables XSS filtering and X-XSS-Protection header is not set
+15
+15
Content-Security-Policy
Header has the reflected-xss directive set and consistent with X-XSS-Protection header value
+5
+5
Content-Security-Policy
Header contains the Reflected XSS directive with a different value than X-XSS-Protection header
-5
-5
Content-Security-Policy
Header has the upgrade-insecure-requests or the block-all-mixed-content directive set
+5
+5
Server
Header discloses server's software version
-5
-5
X-Powered-By
Header discloses server's software version
-5
-5
X-AspNet-Version
Header discloses server's software version
-5
-5
Free Website Security Monitoring
ImmuniWeb Community Edition provides a free website security and compliance monitoring with this Website Security Test. You can add up to 3 websites for free that will be tested with the Website Security Test every 7 days. You will be notified by email about new vulnerabilities or misconfigurations. You can change or remove the hosts at any time.
Interactive Web Security Live World Map
Hostname
Grade
Compliance
Date/Time ()
Server location
Click to view full test results
View in fullscreen
Current time:
Latest update:
Latest Highest Score:
Latest Lowest Score:
Software Composition Analysis
Our database currently contains the following SCA fingerprints and related software vulnerabilities:
CMS and Web Frameworks
300+
CMS Plugins and Extensions
160,000+
JS Libraires and Frameworks
8,900+
CVE Vulnerabilities
12,300+
Recent Website Security Tests
Website CMS Security and Vulnerabilities
10 Most Popular CMS
10 Most Popular Frameworks and JS Libraries
CMS Status and Vulnerabilities
Website Compliances
Website GDPR Compliance
Website PCI DSS Compliance
Web Server Security
Website WAF Protection
Web Server Security Grades Distribution
A
B
C
F
Enabled and Securely Configured HTTP Headers
Web Server Security Research
State of Cybersecurity Industry Exposure at Dark Web
97%
of the companies have data leaks exposed on the Dark Web
25%
of the leaks, being 160,529 leaks, are of high or critical risk levels
29%
of the stolen passwords are weak, 161 companies reuse passwords
63%
of the companies have security or compliance issues on their websites
Website security is composed of website’s data availability, integrity and confidentiality. The data is mostly represented by files and databases of the website. Availability is about uninterrupted and swift access to the website and its content, frequently, a DDoS attack may disrupt website availability and prevent legitimate users from accessing it.
Integrity involves security of the stored data, for example, attackers shall not be able to modify data or distort any information available on the website. Confidentiality relates to due protection of any sensitive data, for instance, logins and passwords of website users to ensure that nobody but the authorized personnel have access to it.
Q
How to check website security?
A
Website security check shall include a thorough verification of its availability, integrity and confidentiality. On top of this security triangle, privacy and compliance with the enacted data protection laws and regulations make a website effectively standing atop of its competitors. ImmuniWeb Community Edition provides a free online test to quickly check your website security, privacy and compliance.
Q
What is GDPR compliance?
A
GDPR compliance relates to adherence to all of the requirements of the General Data Protection Regulation (EU GDPR), a European law purported to protect Personally Identifiable Information (PII) of European residents by increasing transparency of data handling, right to control your PII data and request companies and organizations to return and then delete any PII related to your persona.
The law was enacted in response to skyrocketing number of data breaches, leaks and unscrupulous handling of PII for commercial or even unlawful purposes without the consent of people.
Q
How to be GDPR compliant?
A
The best way to start is to read the official text of the General Data Protection Regulation (GDPR) law. You may require competent advice about applicability and practical enforcement of the law, and it is strongly recommended to retain a licensed attorney in your country to clarify any grey areas as a single mistake may lead to a disastrous financial consequences being a fine of 4% of your annual turnover or 20 million euros whatever is greater.
GDPR compliance test shall cover people, processes and technologies that handle or process Personally Identifiable Information (PII) of European residents by your organization. You shall retain a licensed attorney to review youк Data Protection policy and other legal documents and processes imposed by the articles of GDPR. Not all GDRP requirements are technical, for example, availability and protection of a Data Protection Officer (DPO) is rather of HR and legal part of the GDPR compliance. You may test GDPR compliance of your website by using a free security test by ImmuniWeb Community Edition.
Q
What is PCI DSS compliance?
A
Payment Card Industry Data Security Standard (PCI DSS) compliance involves strict adherence to all of the 12 requirements of the standard for any company that processes at least one credit card on an annual basis. Some of the PCI DSS compliance requirements, for example, wireless network security and encryption, may be inapplicable only if the company does not have a wireless network within its Cardholder Data Environment (CDE). PCI DSS compliance also involves quarterly vulnerability scanning and annual penetration testing of the CDE environment.
Q
How to test PCI DSS compliance?
A
To test PCI DSS compliance, one should first determine its Cardholder Data Environment (CDE) of the tested organization. The CDE scope clearly defines the segments of corporate network and cloud storage where credit card data is stored or processed. It is extremely important to properly define your CDE scope, otherwise you may overprotect or overspend on PCI DSS compliance leading to fines or considerable financial losses.
Then, your PCI DSS security auditors shall meticulously audit and test all applicable requirements of the PCI DSS standard implemented in your network. You may test your website PCI DSS compliance with a free online scanner by ImmuniWeb Community Edition.
Q
What are HTTP headers?
A
HTTP headers are part of an HTTP request sent by web browser to web server, or vice-versa, to pass additional information related to the transmitted content, its format or structure, or specifying some security or privacy features like setting Do Not Track (DNT) directive.
Some HTTP headers may be browser or web server specific. Some security headers, like Content Security Policy (CSP), are fairly complicated to configure due to the need to maintain sufficient website functionality but if properly implemented may mitigate a wide spectrum of XSS (Cross Site Scripting) and other attacks by disallowing insecure or untrusted content from running in user’s web browser.
Q
How HTTP headers work?
A
HTTP headers may be server-side or client-side. Both types of HTTP headers work by sending various instructions alongside with HTTP request on how to handle or process this request. For example, a client-side request sent by the browser may specify that the user does not wish to be tracked by sending a DNT (Do Not Track) HTTP server.
Similarly, server-side HTTP header may send instructions to the browser to renew its cache, use specific encoding when displaying the content, enable the XSS filter, prevent iframes, or force the use of HTTPS. Most of the programming languages provide simple and ready-to-use functions to set most of the HTTP headers.
Q
Which HTTP headers are required?
A
HTTP headers may be required to address specific needs of a website owner or a web browser user. For example, some security-related headers (on the web server side), like X-XSS-Protection or even more powerful Content Security Policy (CSP), are recommended to enhance web application and web server security by mitigating some vectors of XSS and related attacks.
Contrariwise, other server-side headers, like X-Powered-By or Server may disclosure internal or sensitive information and shall be removed. When dealing with client-side headers, DNT (Do Not Track) header becomes incrementally popular. While there is no one-size-fits-all approach or solution to implement specific HTTP headers, you may test your web server’s HTTP headers by free website security test powered by ImmuniWeb Community Edition for general weaknesses or misconfigurations.
Q
How to configure HTTP headers?
A
Server-side HTTP headers are to be configured via a web server by going to its admin interface or updating its configuration file. Each web server provides a detailed documentation and how-to guidelines for the HTTP headers it supports. While some of the client-side HTTP headers can be configured directly by using GUI of your web browser if it supports customized HTTP headers configuration.
Q
Why WAF is required?
A
Web Application Firewall (WAF) can protect your websites, web services and APIs even if they are vulnerable to SQL injection or other common types of security flaws. The attackers won’t be able to exploit a vulnerability residing in the source code of your website if it is protected by a properly configured WAF, either on premise or in the cloud.
Sometimes, software developers have insufficient time to properly and timely mitigate recently detected security vulnerabilities and weaknesses, and instead of leaving your website and its users exposed to cybercriminals, they can mitigate these flaws by a WAF. Modern WAF also reduces the number of malicious bots, accelerates website speed and blocks IP addresses known to be infected by malware or participating in DDoS attacks for example. Moreover, many security standards and compliance requirements, like PCI DSS, expressly required WAF presence.
Q
Can WAF prevent DDoS?
A
A modern WAF can effectively prevent Denial of Service (DoS) attacks, and reduces impact of Distributed Denial of Service (DDoS) attacks. It is, however, virtually impossible to prevent a large-scale DDoS attack that is coming from millions, or in some cases even tens of millions, of bots simply putting the network offline with gigabytes of garbage traffic or even shutting down the entire infrastructure of ISP (Internet Service Provider) where the targeted website is located.
For simple cases and weak DDoS attacks, WAF can at least keep the website up by blocking malicious IP addresses or by limiting access to the website from certain countries, but the website will likely become slower. Special anti-DDoS service providers offer competitive solutions tailored to stop or mitigate the consequences of DDoS attacks.
Q
How WAF works?
A
A Web Application Firewall (WAF) is a virtual layer between your website and the Internet. All website visitors are required to go through the WAF before they may access your web server and website. If a WAF detects any malicious or suspicious elements in website visitor behavior, such as known patterns of web attacks or blacklisted IPs, WAF will block these requests thereby keeping your website safe from unwelcome visitors and hackers.
Q
What is CMS security?
A
Security of a web Content Management System (CMS) usually relates to security of web software used to run a website, for example, WordPress and Drupal are both examples of a web CMS. Security of CMS is ensured by its developers that implement security controls and protection mechanisms to prevent known attacks against the CMS such as SQL injections or XSS.
Website owners shall maintain security by timely installing security patches, using unique and strong passwords, and ensuring that the website hosting is likewise secure. CMS security is also entirely dependent on the web server security, as, for instance, if FTP access or admin password to the server is compromised however good CMS security is, the website will be under immediate control of the attackers.
Q
How to test WordPress security?
A
WordPress security mostly depends on whether your installation of WordPress CMS, its plugins and themes, are all up2date. To test WordPress security, make a holistic inventory of WP components and plugins and ensure they are all up2date. Then go to vulnerability databases to check whether some of the WP plugins or extensions contain known but unpatched security vulnerabilities, and if so, deactivate these components.
Consider checking for a special plugin that hardens WP security by activating supplementary controls and mechanisms unavailable by default, and restricts access to configuration files. ImmuniWeb Community edition provides a free online tool to test your WordPress security and detect all known security and privacy issues within your installation of WordPress.
Q
How to check Drupal security?
A
Drupal security check starts with verification whether the Drupal CMS and all plugins used in your installation of Drupal are up2date. After, check various vulnerability databases that may contain information about known but still unpatched vulnerabilities or weaknesses exploited by the attackers in the wild. If you find such component, rapidly deactivate or disable them until vendor issues a patch.
Additionally, ensure that all privileged users have strong and unique passwords, web hosting where Drupal is running is secure, access to configuration files is restricted, and that you have a tenable mechanism to continuously install Drupal security updates. You may check security of your Drupal website by using free website security test provided by ImmuniWeb Community Edition.
Summary of Website Security TestSummary
Compliance:
PCI DSS
Tested on:
Server IP:
Reverse DNS:
Location:
Client:
Your final score
Automate security and compliance scanning of all your websites and APIs with ImmuniWeb Discovery.
External Content Privacy and Security Analysis External Content
This website uses cookies to provide you with a better surfing experience. To learn more, please visit our Privacy Policy. By continuing to use this website you consent to our use of cookies.
PCI DSS 