Scan complete · 5 May 2026

Website Health Check

Comprehensive security & integrity auditReport ID 08d8659b

80 / 100

askarthur.au

https://askarthur.au/

1.5s scan time

31 checks performed

Excellent

HTTPS & TLS

A+100%

All passing

Security Headers

A82%

All passing

Content Security Policy

B75%

Needs work

Permissions Policy

C50%

Needs work

Server Security

B74%

Needs work

Content Security

A+100%

All passing

Email Security

D46%

Critical

HTTPS & TLS

A+100%

SSL Certificate

Valid SSL certificate from Let's Encrypt - R12, expires in 75 days. Learn more

5/5

TLS 1.2 Support

TLS 1.2 is supported. Learn more

10/10

TLS 1.3 Support

TLS 1.3 is supported (latest version, best performance). Learn more

5/5

TLS 1.0 Disabled

TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more

5/5

TLS 1.1 Disabled

TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more

5/5

Security Headers

A82%

Strict-Transport-Security

HSTS enabled with max-age=63072000, includeSubDomains, preload. Learn more

15/15

X-Content-Type-Options

X-Content-Type-Options is set to nosniff. Learn more

5/5

X-Frame-Options

X-Frame-Options is set to DENY. Learn more

5/5

Referrer-Policy

Referrer-Policy is set to strict-origin-when-cross-origin. Learn more

5/5

Cache-Control

Cache-Control is "public, max-age=0, must-revalidate" but does not include no-store or private. Sensitive pages may be cached. Learn more

1/3

Cross-Origin-Embedder-Policy

Cross-Origin-Embedder-Policy is set to credentialless. Learn more

3/3

Cross-Origin-Opener-Policy

Cross-Origin-Opener-Policy is set to same-origin. Learn more

3/3

Cross-Origin-Resource-Policy

Cross-Origin-Resource-Policy is set to same-origin. Learn more

3/3

CORS Policy

Access-Control-Allow-Origin is set to wildcard (*). Any origin can make cross-origin requests. Learn more

1/3

Cookie Security

No Set-Cookie headers found. Learn more

0/5

Content Security Policy

B75%

Content Security Policy

CSP is configured with 13 directives. Learn more

10/10

CSP unsafe-inline

CSP allows 'unsafe-inline' which weakens XSS protection. Learn more

0/5

CSP unsafe-eval

CSP does not use unsafe-eval. Learn more

5/5

Permissions Policy

C50%

Permissions Policy

Permissions-Policy only restricts 4/7 sensitive features. Learn more

5/10

Server Security

B74%

Server Header Disclosure

Server header shows "Vercel" (CDN/platform, not a disclosure concern). Learn more

5/5

Domain Blacklist

Domain is not listed on any of the 3 DNS blacklists checked. Learn more

5/5

security.txt

No security.txt file found. Consider adding one for security researchers. Learn more

0/3

Open Redirect

No open redirect vulnerabilities detected via common parameters. Learn more

5/5

Exposed Sensitive Paths

Found 1 accessible admin path: /admin. Consider restricting access. Learn more

2/5

Content Security

A+100%

Mixed Content

No mixed content detected. All resources use HTTPS. Learn more

5/5

Subresource Integrity

No external scripts or stylesheets found — SRI not needed. Learn more

5/5

Redirect Chain

No redirects detected — URL resolves directly. Learn more

5/5

Email Security

D46%

SPF Record

SPF record found: v=spf1 include:secureserver.net -all Learn more

3/3

DMARC Policy

DMARC policy set to "quarantine" — spoofed emails may be flagged. Consider upgrading to "reject". Learn more

2/4

DKIM Signing

No DKIM records found for common selectors. DKIM may use a custom selector not checked here. Learn more

1/3

DNSSEC

DNSSEC is not enabled. DNS responses could be spoofed. Learn more

0/3

Recommendations

1
criticalRestrict access to admin and sensitive paths using IP allowlists or authentication.

mediumAdd a Permissions-Policy header restricting camera, microphone, geolocation, and payment.

Show fix

# nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;

# Apache
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), payment=()" }] }] }

3
mediumRemove 'unsafe-inline' from CSP and use nonces or hashes for inline scripts.
4
mediumAdd a DMARC record with p=reject at _dmarc.yourdomain.com to block spoofed emails.

mediumAdd Cache-Control: no-store or private to prevent sensitive pages from being cached.

Show fix

# nginx
add_header Cache-Control "no-store" always;

# Apache
Header always set Cache-Control "no-store"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Cache-Control", "value": "no-store" }] }] }

6
lowEnable DNSSEC to protect against DNS spoofing attacks.
7
lowRestrict Access-Control-Allow-Origin to specific trusted origins instead of using wildcard (*).
8
lowConfigure DKIM signing for your email to authenticate outgoing messages.

This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.

Raw Headers