Website Health Check
Scanned 23/03/2026
HTTPS & TLS
A (83%)TLS 1.2 is supported. Learn more ↗
TLS 1.3 is not supported. Consider upgrading for better security and performance. Learn more ↗
TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more ↗
TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more ↗
Valid SSL certificate from DigiCert Inc - DigiCert EV RSA CA G2, expires in 123 days. Learn more ↗
Security Headers
B (68%)HSTS enabled with max-age=31536000, includeSubDomains, preload. Learn more ↗
X-Content-Type-Options is set to nosniff. Learn more ↗
X-Frame-Options is set to SAMEORIGIN. Learn more ↗
Referrer-Policy header is missing. Full URLs may be sent in referrer headers. Learn more ↗
Cache-Control is "max-age=60" but does not include no-store or private. Sensitive pages may be cached. Learn more ↗
Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more ↗
Cross-Origin-Opener-Policy header is missing. Page may be accessed by cross-origin windows. Learn more ↗
Cross-Origin-Resource-Policy header is missing. Resources may be loaded by any origin. Learn more ↗
No Access-Control-Allow-Origin header present. Cross-origin requests are restricted by default. Learn more ↗
All 1 cookie have Secure, HttpOnly, and SameSite flags. Learn more ↗
Content Security Policy
F (0%)No Content-Security-Policy header found. The site has no XSS mitigation via CSP. Learn more ↗
No CSP header to check for unsafe-inline. Learn more ↗
No CSP header to check for unsafe-eval. Learn more ↗
Permissions Policy
F (0%)No Permissions-Policy or Feature-Policy header found. Browser features like camera, microphone, and geolocation are unrestricted. Learn more ↗
Server Security
A (87%)Server header shows "cloudflare" (CDN/platform, not a disclosure concern). Learn more ↗
Domain is not listed on any of the 3 DNS blacklists checked. Learn more ↗
No security.txt file found. Consider adding one for security researchers. Learn more ↗
No common admin or sensitive paths are publicly exposed. Learn more ↗
No open redirect vulnerabilities detected via common parameters. Learn more ↗
Content Security
C (53%)No mixed content detected. All resources use HTTPS. Learn more ↗
2 of 2 external resources missing SRI: script: https://rum.hlx.page/.rum/@adobe/helix-rum-js@%5E2/dist/rum-standalone.js; script: https://assets.commbank.com.au/s7viewers/libs/responsive_image.js. Learn more ↗
1 redirect across 2 domains. Moderate redirect chain. Learn more ↗
Email Security
B (77%)SPF record found: v=spf1 include:spf1.cba.com.au include:spf2.cba.com.au ip4:144.49.240.0/21 include:spf.protection.ou... Learn more ↗
DMARC policy set to "reject" — spoofed emails will be rejected. Learn more ↗
DKIM record found for selector: selector1. Learn more ↗
DNSSEC is not enabled. DNS responses could be spoofed. Learn more ↗
Recommendations
- 1medium{"text":"Implement a Content-Security-Policy header with at least default-src and script-src directives.","severity":"high","snippet":"# nginx\nadd_header Content-Security-Policy \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'\" always;\n\n# Apache\nHeader always set Content-Security-Policy \"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Content-Security-Policy\", \"value\": \"default-src 'self'; script-src 'self'\" }] }] }"}
- 2medium{"text":"Add a Permissions-Policy header restricting camera, microphone, geolocation, and payment.","severity":"medium","snippet":"# nginx\nadd_header Permissions-Policy \"camera=(), microphone=(), geolocation=(), payment=()\" always;\n\n# Apache\nHeader always set Permissions-Policy \"camera=(), microphone=(), geolocation=(), payment=()\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Permissions-Policy\", \"value\": \"camera=(), microphone=(), geolocation=(), payment=()\" }] }] }"}
- 3medium{"text":"Set Referrer-Policy to strict-origin-when-cross-origin or stricter.","severity":"medium","snippet":"# nginx\nadd_header Referrer-Policy \"strict-origin-when-cross-origin\" always;\n\n# Apache\nHeader always set Referrer-Policy \"strict-origin-when-cross-origin\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Referrer-Policy\", \"value\": \"strict-origin-when-cross-origin\" }] }] }"}
- 4medium{"text":"Add integrity attributes to external scripts and stylesheets to prevent supply chain attacks.","severity":"medium"}
- 5medium{"text":"Add Cache-Control: no-store or private to prevent sensitive pages from being cached.","severity":"medium","snippet":"# nginx\nadd_header Cache-Control \"no-store\" always;\n\n# Apache\nHeader always set Cache-Control \"no-store\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Cache-Control\", \"value\": \"no-store\" }] }] }"}
- 6medium{"text":"Add a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.","severity":"low"}
- 7medium{"text":"Add a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.","severity":"low"}
- 8medium{"text":"Add a Cross-Origin-Resource-Policy: same-origin header to prevent your resources from being loaded by other origins.","severity":"low"}
- 9medium{"text":"Enable DNSSEC to protect against DNS spoofing attacks.","severity":"low"}
- 10medium{"text":"Enable TLS 1.3 for improved security and performance.","severity":"low"}
- 11medium{"text":"Reduce the number of redirects in your URL chain. Excessive redirects slow page loads and may indicate URL obfuscation.","severity":"low"}
This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.