Website Health Check

Scanned 28/02/2026

C63/100

valiant.finance

https://get.valiant.finance/

0.4s16 checks

Twitter LinkedIn

HTTPS & TLS

A+ (100%)

TLS 1.2 Support10/10

TLS 1.2 is supported. Learn more ↗

TLS 1.3 Support5/5

TLS 1.3 is supported (latest version, best performance). Learn more ↗

TLS 1.0 Disabled5/5

TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more ↗

TLS 1.1 Disabled5/5

TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more ↗

SSL Certificate5/5

Valid SSL certificate from Let's Encrypt - E7, expires in 42 days. Learn more ↗

Security Headers

F (33%)

Strict-Transport-Security0/15

HSTS header is missing. Browsers may allow HTTP connections. Learn more ↗

X-Content-Type-Options5/5

X-Content-Type-Options is set to nosniff. Learn more ↗

X-Frame-Options0/5

X-Frame-Options header is missing. Page may be embedded in iframes (clickjacking risk). Learn more ↗

Referrer-Policy5/5

Referrer-Policy is set to strict-origin-when-cross-origin. Learn more ↗

Content Security Policy

C (50%)

Content Security Policy10/10

CSP is configured with 1 directive. Learn more ↗

CSP unsafe-inline0/5

CSP allows 'unsafe-inline' which weakens XSS protection. Learn more ↗

CSP unsafe-eval0/5

CSP allows 'unsafe-eval' which permits arbitrary code execution via eval(). Learn more ↗

Permissions Policy

F (0%)

Permissions Policy0/10

No Permissions-Policy or Feature-Policy header found. Browser features like camera, microphone, and geolocation are unrestricted. Learn more ↗

Server Security

A+ (100%)

Server Header Disclosure5/5

Server header shows "cloudflare" (CDN/platform, not a disclosure concern). Learn more ↗

Exposed Sensitive Paths5/5

No common admin or sensitive paths are publicly exposed. Learn more ↗

Content Security

A+ (100%)

Mixed Content5/5

No mixed content detected. All resources use HTTPS. Learn more ↗

Recommendations

1
mediumAdd a Strict-Transport-Security header with max-age=31536000 and includeSubDomains.
2
mediumAdd a Permissions-Policy header restricting camera, microphone, geolocation, and payment.
3
mediumAdd X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking.
4
mediumRemove 'unsafe-eval' from CSP to prevent dynamic code execution via eval().
5
mediumRemove 'unsafe-inline' from CSP and use nonces or hashes for inline scripts.

This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.