๐ This is an example report โ showing what a perfect Security Audit looks like. Run your own audit โ
Security Audit Example: All 23 Passive Checks Passing
100
Security Score (out of 100)
23 of 23 checks passed
example-secure-site.com
What this report shows. This example demonstrates a website with every passive security check passing โ strong HTTP security headers, a valid modern TLS configuration, cookies set with all three security flags, no mixed content, hidden server fingerprints, no known CVEs against detected software versions, no CMS version exposure, full mail security DNS records (SPF, DMARC, DKIM), and both standard well-known files in place. Read the full guide for the fix instructions behind each check, or jump to the beginner tutorial for a step-by-step walkthrough.
๐ HTTP Security Headers
โ
Content-Security-Policy
CSP header โ defends against XSS and injection by restricting which resources can load.
OWASP A05:2021CWE-693
PASS
โ
Strict-Transport-Security (HSTS)
HSTS forces browsers to use HTTPS, preventing protocol downgrade attacks.
OWASP A02:2021CWE-319
PASS
โ
X-Frame-Options / frame-ancestors
Prevents your site being embedded in iframes (clickjacking defence).
OWASP A05:2021CWE-1021
PASS
โ
X-Content-Type-Options
Stops browsers from MIME-sniffing responses, which can lead to XSS.
OWASP A05:2021CWE-430
PASS
โ
Referrer-Policy
Controls how much referrer info is sent to other sites. Protects user privacy.
OWASP A05:2021CWE-200
PASS
โ
Permissions-Policy
Restricts which browser features (camera, mic, geolocation) the page can use.
OWASP A05:2021CWE-693
PASS
๐ TLS / SSL
โ
TLS Certificate Valid
Certificate is valid, not expired and signed by a trusted CA.
OWASP A02:2021CWE-295
PASS
โ
TLS Certificate Not Expiring Soon โ expires 2027-01-15
Certificate is not expiring in the next 30 days.
OWASP A02:2021CWE-324
PASS
โ
TLS Protocol Modern โ TLSv1.3
Server negotiates TLS 1.2 or 1.3 (not deprecated TLS 1.0 / 1.1).
OWASP A02:2021CWE-326
PASS
๐ช Cookies
โ
Cookies use Secure flag
All Set-Cookie responses include the Secure flag.
OWASP A05:2021CWE-614
PASS
โ
Cookies use HttpOnly flag
Cookies not readable from JavaScript, preventing theft via XSS.
OWASP A05:2021CWE-1004
PASS
โ
Cookies use SameSite attribute
Cookies declare SameSite (Lax or Strict) to mitigate CSRF.
OWASP A01:2021CWE-1275
PASS
โ Mixed Content
โ
No mixed content
HTTPS pages do not load any http:// resources.
OWASP A02:2021CWE-319
PASS
๐ฅ Server Fingerprint
โ
Server header not verbose โ nginx
Server header does not advertise exact version.
OWASP A05:2021CWE-200
PASS
โ
X-Powered-By header absent
X-Powered-By header not exposed.
OWASP A05:2021CWE-200
PASS
๐ Known CVEs (NVD)
โ
No known CVEs detected โ no version fingerprints to lookup
No CVEs matched against detected versions via NIST NVD.
OWASP A06:2021CWE-1104
PASS
๐ฆ CMS Detection
โ
CMS not exposing version โ no CMS detected
No CMS generator meta tag exposing the exact version.
OWASP A05:2021CWE-200
PASS
๐ง Mail Security DNS
โ
SPF record present โ apex: example-secure-site.com
DNS TXT record starting v=spf1 โ authorises which servers can send mail.
OWASP A07:2021CWE-290
PASS
โ
DMARC record present โ apex: example-secure-site.com
_dmarc.<domain> TXT record exists โ protects from spoofing/phishing.
OWASP A07:2021CWE-290
PASS
โ
DKIM signature on common selector โ selector: default
At least one common DKIM selector resolves.
OWASP A07:2021CWE-290
PASS
๐ robots.txt / security.txt
โ
robots.txt present
A robots.txt is published at /robots.txt.
PASS
โ
security.txt present
A security.txt is published at /.well-known/security.txt (RFC 9116).
PASS
๐ก How does your site score?
Run a free passive security audit on your own domain in seconds. All 23 checks across 9 families โ HTTP headers, TLS, cookies, mixed content, server fingerprint, CVEs via NVD, CMS, mail DNS and well-known files.