Website Health Check

Scanned 23/03/2026

D44/100

firstcouriers.net

https://firstcouriers.net/

6.3s31 checks

Twitter LinkedIn

HTTPS & TLS

A+ (100%)

TLS 1.2 Support10/10

TLS 1.2 is supported. Learn more ↗

TLS 1.3 Support5/5

TLS 1.3 is supported (latest version, best performance). Learn more ↗

TLS 1.0 Disabled5/5

TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more ↗

TLS 1.1 Disabled5/5

TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more ↗

SSL Certificate5/5

Valid SSL certificate from Let's Encrypt - E8, expires in 73 days. Learn more ↗

Security Headers

F (8%)

Strict-Transport-Security0/15

HSTS header is missing. Browsers may allow HTTP connections. Learn more ↗

X-Content-Type-Options0/5

X-Content-Type-Options header is missing. Browser may MIME-sniff responses. Learn more ↗

X-Frame-Options0/5

X-Frame-Options header is missing. Page may be embedded in iframes (clickjacking risk). Learn more ↗

Referrer-Policy0/5

Referrer-Policy header is missing. Full URLs may be sent in referrer headers. Learn more ↗

Cache-Control1/3

Cache-Control header is missing. Sensitive responses may be cached by intermediaries. Learn more ↗

Cross-Origin-Embedder-Policy0/3

Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more ↗

Cross-Origin-Opener-Policy0/3

Cross-Origin-Opener-Policy header is missing. Page may be accessed by cross-origin windows. Learn more ↗

Cross-Origin-Resource-Policy0/3

Cross-Origin-Resource-Policy header is missing. Resources may be loaded by any origin. Learn more ↗

CORS Policy3/3

No Access-Control-Allow-Origin header present. Cross-origin requests are restricted by default. Learn more ↗

Cookie Security0/5

No Set-Cookie headers found. Learn more ↗

Content Security Policy

F (0%)

Content Security Policy0/10

No Content-Security-Policy header found. The site has no XSS mitigation via CSP. Learn more ↗

CSP unsafe-inline0/5

No CSP header to check for unsafe-inline. Learn more ↗

CSP unsafe-eval0/5

No CSP header to check for unsafe-eval. Learn more ↗

Permissions Policy

F (0%)

Permissions Policy0/10

No Permissions-Policy or Feature-Policy header found. Browser features like camera, microphone, and geolocation are unrestricted. Learn more ↗

Server Security

A (87%)

Server Header Disclosure5/5

Server header shows "cloudflare" (CDN/platform, not a disclosure concern). Learn more ↗

Domain Blacklist5/5

Domain is not listed on any of the 3 DNS blacklists checked. Learn more ↗

Open Redirect5/5

No open redirect vulnerabilities detected via common parameters. Learn more ↗

security.txt0/3

Could not check security.txt (request failed). Learn more ↗

Exposed Sensitive Paths5/5

No common admin or sensitive paths are publicly exposed. Learn more ↗

Content Security

B (67%)

Mixed Content5/5

No mixed content detected. All resources use HTTPS. Learn more ↗

Subresource Integrity0/5

7 of 7 external resources missing SRI: script: data:text/javascript;base64,Y29uc3QgbGF6eWxvYWRSdW5PYnNlcnZlcj0oKT0+e2NvbnN0IGxh; script: data:text/javascript;base64,dmFyIE5ldmVQcm9wZXJ0aWVzPXsiYWpheHVybCI6Imh0dHBzOi8v; script: data:text/javascript;base64,dmFyIGh0bWw9ZG9jdW1lbnQuZG9jdW1lbnRFbGVtZW50O3ZhciB0 (+4 more). Learn more ↗

Redirect Chain5/5

No redirects detected — URL resolves directly. Learn more ↗

Email Security

D (46%)

SPF Record3/3

SPF record found: v=spf1 a include:customer.mailguard.com.au include:spf.protection.outlook.com include:spf-c.mailbaby... Learn more ↗

DMARC Policy0/4

No DMARC record found. The domain has no policy for handling spoofed email. Learn more ↗

DKIM Signing3/3

DKIM record found for selector: default. Learn more ↗

DNSSEC0/3

DNSSEC is not enabled. DNS responses could be spoofed. Learn more ↗

Recommendations

1
medium{"text":"Add a Strict-Transport-Security header with max-age=31536000 and includeSubDomains.","severity":"high","snippet":"# nginx\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\n\n# Apache\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Strict-Transport-Security\", \"value\": \"max-age=31536000; includeSubDomains\" }] }] }"}
2
medium{"text":"Implement a Content-Security-Policy header with at least default-src and script-src directives.","severity":"high","snippet":"# nginx\nadd_header Content-Security-Policy \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'\" always;\n\n# Apache\nHeader always set Content-Security-Policy \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Content-Security-Policy\", \"value\": \"default-src 'self'; script-src 'self'\" }] }] }"}
3
medium{"text":"Add a Permissions-Policy header restricting camera, microphone, geolocation, and payment.","severity":"medium","snippet":"# nginx\nadd_header Permissions-Policy \"camera=(), microphone=(), geolocation=(), payment=()\" always;\n\n# Apache\nHeader always set Permissions-Policy \"camera=(), microphone=(), geolocation=(), payment=()\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Permissions-Policy\", \"value\": \"camera=(), microphone=(), geolocation=(), payment=()\" }] }] }"}
4
medium{"text":"Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking.","severity":"medium","snippet":"# nginx\nadd_header X-Frame-Options \"DENY\" always;\n\n# Apache\nHeader always set X-Frame-Options \"DENY\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"X-Frame-Options\", \"value\": \"DENY\" }] }] }"}
5
medium{"text":"Set Referrer-Policy to strict-origin-when-cross-origin or stricter.","severity":"medium","snippet":"# nginx\nadd_header Referrer-Policy \"strict-origin-when-cross-origin\" always;\n\n# Apache\nHeader always set Referrer-Policy \"strict-origin-when-cross-origin\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Referrer-Policy\", \"value\": \"strict-origin-when-cross-origin\" }] }] }"}
6
medium{"text":"Add integrity attributes to external scripts and stylesheets to prevent supply chain attacks.","severity":"medium"}
7
medium{"text":"Add a DMARC record with p=reject at _dmarc.yourdomain.com to block spoofed emails.","severity":"medium"}
8
medium{"text":"Add Cache-Control: no-store or private to prevent sensitive pages from being cached.","severity":"medium","snippet":"# nginx\nadd_header Cache-Control \"no-store\" always;\n\n# Apache\nHeader always set Cache-Control \"no-store\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Cache-Control\", \"value\": \"no-store\" }] }] }"}
9
medium{"text":"Add X-Content-Type-Options: nosniff to prevent MIME-sniffing attacks.","severity":"low","snippet":"# nginx\nadd_header X-Content-Type-Options \"nosniff\" always;\n\n# Apache\nHeader always set X-Content-Type-Options \"nosniff\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"X-Content-Type-Options\", \"value\": \"nosniff\" }] }] }"}
10
medium{"text":"Add a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.","severity":"low"}
11
medium{"text":"Add a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.","severity":"low"}
12
medium{"text":"Add a Cross-Origin-Resource-Policy: same-origin header to prevent your resources from being loaded by other origins.","severity":"low"}
13
medium{"text":"Enable DNSSEC to protect against DNS spoofing attacks.","severity":"low"}

This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.