Scan complete · 1 May 2026

Website Health Check

Comprehensive security & integrity auditReport ID 1e7e6458

46 / 100

telstra.com

https://dev.telstra.com/

2.4s scan time

31 checks performed

Poor

HTTPS & TLS

A+100%

All passing

Security Headers

F8%

Critical

Content Security Policy

F0%

Critical

Permissions Policy

F0%

Critical

Server Security

B70%

Needs work

Content Security

A+100%

All passing

Email Security

C62%

Needs work

HTTPS & TLS

A+100%

SSL Certificate

Valid SSL certificate from DigiCert Inc - DigiCert Global G2 TLS RSA SHA256 2020 CA1, expires in 239 days. Learn more

5/5

TLS 1.2 Support

TLS 1.2 is supported. Learn more

10/10

TLS 1.3 Support

TLS 1.3 is supported (latest version, best performance). Learn more

5/5

TLS 1.0 Disabled

TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more

5/5

TLS 1.1 Disabled

TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more

5/5

Security Headers

F8%

Strict-Transport-Security

HSTS header is missing. Browsers may allow HTTP connections. Learn more

0/15

X-Content-Type-Options

X-Content-Type-Options header is missing. Browser may MIME-sniff responses. Learn more

0/5

X-Frame-Options

X-Frame-Options header is missing. Page may be embedded in iframes (clickjacking risk). Learn more

0/5

Referrer-Policy

Referrer-Policy header is missing. Full URLs may be sent in referrer headers. Learn more

0/5

Cache-Control

Cache-Control is "no-cache" but does not include no-store or private. Sensitive pages may be cached. Learn more

1/3

Cross-Origin-Embedder-Policy

Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more

0/3

Cross-Origin-Opener-Policy

Cross-Origin-Opener-Policy header is missing. Page may be accessed by cross-origin windows. Learn more

0/3

Cross-Origin-Resource-Policy

Cross-Origin-Resource-Policy header is missing. Resources may be loaded by any origin. Learn more

0/3

CORS Policy

No Access-Control-Allow-Origin header present. Cross-origin requests are restricted by default. Learn more

3/3

Cookie Security

No Set-Cookie headers found. Learn more

0/5

Content Security Policy

F0%

Content Security Policy

No Content-Security-Policy header found. The site has no XSS mitigation via CSP. Learn more

0/10

CSP unsafe-inline

No CSP header to check for unsafe-inline. Learn more

0/5

CSP unsafe-eval

No CSP header to check for unsafe-eval. Learn more

0/5

Permissions Policy

F0%

Permissions Policy

No Permissions-Policy or Feature-Policy header found. Browser features like camera, microphone, and geolocation are unrestricted. Learn more

0/10

Server Security

B70%

Server Header Disclosure

Server header shows "AmazonS3" (CDN/platform, not a disclosure concern). Learn more

5/5

Domain Blacklist

Domain is not listed on any of the 3 DNS blacklists checked. Learn more

5/5

Open Redirect

No open redirect vulnerabilities detected via common parameters. Learn more

5/5

Exposed Sensitive Paths

Critical: /.git/HEAD, /server-status, /.git/config, /actuator, /phpinfo.php, /elmah.axd, /.env are publicly accessible (information disclosure risk). Also found: /admin, /wp-login.php, /wp-admin. Learn more

0/5

security.txt

security.txt exists but is missing the required Contact: field (RFC 9116). Learn more

1/3

Content Security

A+100%

Mixed Content

No mixed content detected. All resources use HTTPS. Learn more

5/5

Subresource Integrity

No external scripts or stylesheets found — SRI not needed. Learn more

5/5

Redirect Chain

No redirects detected — URL resolves directly. Learn more

5/5

Email Security

C62%

DNSSEC

DNSSEC is not enabled. DNS responses could be spoofed. Learn more

0/3

SPF Record

SPF record found: v=spf1 include:bigpond.com include:_spf.telstra.com.au include:_spf.ssoneweb.telstra.com ~all Learn more

3/3

DMARC Policy

DMARC policy set to "reject" — spoofed emails will be rejected. Learn more

4/4

DKIM Signing

No DKIM records found for common selectors. DKIM may use a custom selector not checked here. Learn more

1/3

Recommendations

1
criticalRestrict access to admin and sensitive paths using IP allowlists or authentication.

highAdd a Strict-Transport-Security header with max-age=31536000 and includeSubDomains.

Show fix

# nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" }] }] }

highImplement a Content-Security-Policy header with at least default-src and script-src directives.

Show fix

# nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'" always;

# Apache
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Content-Security-Policy", "value": "default-src 'self'; script-src 'self'" }] }] }

mediumAdd a Permissions-Policy header restricting camera, microphone, geolocation, and payment.

Show fix

# nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;

# Apache
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), payment=()" }] }] }

mediumAdd X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking.

Show fix

# nginx
add_header X-Frame-Options "DENY" always;

# Apache
Header always set X-Frame-Options "DENY"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "X-Frame-Options", "value": "DENY" }] }] }

mediumSet Referrer-Policy to strict-origin-when-cross-origin or stricter.

Show fix

# nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }] }] }

mediumAdd Cache-Control: no-store or private to prevent sensitive pages from being cached.

Show fix

# nginx
add_header Cache-Control "no-store" always;

# Apache
Header always set Cache-Control "no-store"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Cache-Control", "value": "no-store" }] }] }

lowAdd X-Content-Type-Options: nosniff to prevent MIME-sniffing attacks.

Show fix

# nginx
add_header X-Content-Type-Options "nosniff" always;

# Apache
Header always set X-Content-Type-Options "nosniff"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "X-Content-Type-Options", "value": "nosniff" }] }] }

9
lowAdd a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.
10
lowAdd a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.
11
lowAdd a Cross-Origin-Resource-Policy: same-origin header to prevent your resources from being loaded by other origins.
12
lowEnable DNSSEC to protect against DNS spoofing attacks.
13
lowConfigure DKIM signing for your email to authenticate outgoing messages.
14
lowAdd a /.well-known/security.txt file (RFC 9116) with contact information for security researchers.

This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.

Raw Headers