Website Health Check
Scanned 28/02/2026
HTTPS & TLS
A+ (100%)Valid SSL certificate from Amazon - Amazon RSA 2048 M01, expires in 343 days. Learn more ↗
TLS 1.2 is supported. Learn more ↗
TLS 1.3 is supported (latest version, best performance). Learn more ↗
TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more ↗
TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more ↗
Security Headers
C (50%)HSTS header is missing. Browsers may allow HTTP connections. Learn more ↗
X-Content-Type-Options is set to nosniff. Learn more ↗
X-Frame-Options is set to SAMEORIGIN. Learn more ↗
Referrer-Policy is set to strict-origin-when-cross-origin. Learn more ↗
Content Security Policy
F (0%)No Content-Security-Policy header found. The site has no XSS mitigation via CSP. Learn more ↗
No CSP header to check for unsafe-inline. Learn more ↗
No CSP header to check for unsafe-eval. Learn more ↗
Permissions Policy
C (50%)Permissions-Policy only restricts 3/7 sensitive features. Learn more ↗
Server Security
C (50%)Server header discloses "Apache/2.4.54 (Debian)" including version number. Attackers can target known vulnerabilities for this version. Learn more ↗
No common admin or sensitive paths are publicly exposed. Learn more ↗
Content Security
A+ (100%)No mixed content detected. All resources use HTTPS. Learn more ↗
Recommendations
- 1mediumAdd a Strict-Transport-Security header with max-age=31536000 and includeSubDomains.
- 2mediumImplement a Content-Security-Policy header with at least default-src and script-src directives.
- 3mediumRemove or hide the Server header to prevent version disclosure.
- 4mediumAdd a Permissions-Policy header restricting camera, microphone, geolocation, and payment.
This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.