Website Security Test
- GDPR & PCI DSS Test
- Website CMS Security Test
- CSP & HTTP Headers Check
- WordPress & Drupal Scanning
Free online tool to test website security
163,563,855websites tested for security
Scoring Methodology
- At the beginning of the test, the score is set to 100
- Points are added for good and reliable configuration of your website and web server
- Points are deducted for insecure, incomplete or unreliable configuration of your website or web server
- Total points for all detected CMS(s) and CMS components will not go below -50 or above +50
- Total points for all detected JS components will not go below -20 or above +20
- Total points for all HTTP methods and CSP will not go below -30 or above +30
- Total points for all cookies will not go below -10 or above +10
- No website may score above "C" if a vulnerable software is found
- No website may score above "B+" if CMS is not up2date
- No website may score below "C" if its CMS and CMS components have no known vulnerabilities
- The score is set to 0 if the website is loading scripts suspected malware or other malicious activities
- The score is set to 0 if the website is loading content from domains suspected in malware distribution or other malicious activities
- Server gets an "N" if a tested port is closed or HTTP status code is not 200, 301, 302, 303, 307 or 308
Grade | Score |
---|---|
A+ | Score greater than 100 |
A | Score between 90 and 99 |
A- | Score between 80 and 89 |
Grade | Score |
---|---|
B+ | Score between 70 and 79 |
B | Score between 60 and 69 |
B- | Score between 50 and 59 |
Grade | Score |
---|---|
C+ | Score between 35 and 49 |
C | Score between 20 and 34 |
F | Score lower than 20 |
Website Security and Compliance
Description | Score |
Description WAF is present | +20 |
Description WAF is missing | -5 |
Description CMS is up2date | +20 |
Description CMS is not up2date | -15 |
Description CMS is not up2date and is vulnerable | -50 |
Description CMS component is up2date | +15 |
Description CMS component is not up2date | -10 |
Description CMS component is not up2date and is vulnerable | -30 |
Description JS component is up2date | +10 |
Description JS component is not up2date | -5 |
Description JS component is not up2date and is vulnerable | -30 |
Description Server supports Custom HTTP methods | -10 |
Description Server supports TRACE, TRACK or CONNECT HTTP method | -10 |
Description A cookie does not have the HttpOnly flag set | -5 |
Description A cookie has the Secure flag set | +5 |
Description A cookie has the SameSite flag set to Lax | +5 |
Description A cookie has the SameSite flag set to Strict | +5 |
Description A cookie does not have the SameSite flag set | -1 |
Description A cookie name has the "__Secure-" prefix and its prerequisites | +5 |
Description A cookie name has the "__Host-" prefix and its prerequisites | +5 |
Description Web server directory listing enabled | -10 |
Description The website is using resources from third-party domains that cannot be resolved | -30 |
HTTP Security Headers and Content Security Policy Scoring
Header Name | Description | Over HTTP | Over HTTPS |
Permissions-Policy | Description Header is present and valid | +15 | +15 |
Permissions-Policy | Description Header is present and wrongly configured | -10 | -10 |
Access-Control-Allow-Origin | Description Header is present and valid | +5 | +5 |
Strict-Transport-Security | Description Header is present, valid and enforced | 0 | +25 |
Strict-Transport-Security | Description Header is missing | 0 | -20 |
Strict-Transport-Security | Description Header has a duration below 6 months | 0 | -10 |
Strict-Transport-Security | Description Server certificate is untrusted | 0 | -1 |
X-Frame-Options | Description Header is present and valid | +15 | +15 |
X-Frame-Options | Description Header value is ALLOWALL | -10 | -10 |
X-Content-Type-Options | Description Header is present and valid | +15 | +15 |
X-Content-Type-Options | Description Header is missing | -10 | -10 |
Content-Security-Policy | Description Header is present | +20 | +20 |
Content-Security-Policy | Description Header is missing | -20 | -20 |
Content-Security-Policy | Description Header has default-src set to 'none' or 'self' | +5 | +5 |
Content-Security-Policy | Description Header contains wildcard in default-src directive | -10 | -10 |
Content-Security-Policy | Description Header contains wildcard in any other directive | -10 | -10 |
Content-Security-Policy | Description Header has frame-ancestors directive set and restricting sources and X-Frame-Options header is not set | +10 | +10 |
Content-Security-Policy | Description Header has frame-ancestors directive set with wildcard and X-Frame-Options header is not set | +5 | +5 |
Content-Security-Policy | Description Header has frame-ancestors directive set and consistent with X-Frame-Options header value | +5 | +5 |
Content-Security-Policy | Description Header has frame-ancestors directive set and inconsistent with X-Frame-Options header value | -5 | -5 |
Content-Security-Policy | Description Header enables XSS blocking | +15 | +15 |
Content-Security-Policy | Description Header enables XSS filtering | +15 | +15 |
Content-Security-Policy | Description Header has the reflected-xss directive set | +5 | +5 |
Content-Security-Policy | Description Header has the upgrade-insecure-requests or the block-all-mixed-content directive set | +5 | +5 |
Server | Description Header discloses server's software version | -5 | -5 |
X-Powered-By | Description Header discloses server's software version | -5 | -5 |
X-AspNet-Version | Description Header discloses server's software version | -5 | -5 |