Scan complete · 14 Apr 2026
Website Health Check
B
72 / 100
facebook.com
https://www.facebook.com/
1.5s scan time
31 checks performed
B
Above average
HTTPS & TLS
A93%
All passingSecurity Headers
C56%
Needs workContent Security Policy
C50%
Needs workPermissions Policy
A+100%
All passingServer Security
B78%
Needs workContent Security
C53%
Needs workEmail Security
B77%
Needs workHTTPS & TLS
A93%
SSL Certificate
SSL certificate expires in 7 days. Renew soon. Learn more
3/5
TLS 1.2 Support
TLS 1.2 is supported. Learn more
10/10
TLS 1.3 Support
TLS 1.3 is supported (latest version, best performance). Learn more
5/5
TLS 1.0 Disabled
TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more
5/5
TLS 1.1 Disabled
TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more
5/5
Security Headers
C56%
Strict-Transport-Security
HSTS configured but max-age is 15552000 (recommended: 31536000+), missing includeSubDomains. Learn more
7/15
X-Content-Type-Options
X-Content-Type-Options is set to nosniff. Learn more
5/5
X-Frame-Options
X-Frame-Options is set to DENY. Learn more
5/5
Referrer-Policy
Referrer-Policy header is missing. Full URLs may be sent in referrer headers. Learn more
0/5
Cache-Control
Cache-Control is set to "private, no-cache, no-store, must-revalidate". Learn more
3/3
Cross-Origin-Embedder-Policy
Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more
0/3
Cross-Origin-Opener-Policy
Cross-Origin-Opener-Policy is set to "unsafe-none" (expected: same-origin). Learn more
0/3
Cross-Origin-Resource-Policy
Cross-Origin-Resource-Policy is set to same-origin. Learn more
3/3
CORS Policy
No Access-Control-Allow-Origin header present. Cross-origin requests are restricted by default. Learn more
3/3
Cookie Security
Some cookies missing flags: "fr" missing SameSite; "sb" missing SameSite. Learn more
2/5
Content Security Policy
C50%
Content Security Policy
CSP is configured with 14 directives. Learn more
10/10
CSP unsafe-inline
CSP allows 'unsafe-inline' which weakens XSS protection. Learn more
0/5
CSP unsafe-eval
CSP allows 'unsafe-eval' which permits arbitrary code execution via eval(). Learn more
0/5
Permissions Policy
A+100%
Permissions Policy
Permissions-Policy restricts 7/7 sensitive features. Learn more
10/10
Server Security
B78%
Server Header Disclosure
No Server header present (good — no server information disclosed). Learn more
5/5
Domain Blacklist
Domain is not listed on any of the 3 DNS blacklists checked. Learn more
5/5
security.txt
security.txt found with Contact and Expires fields (RFC 9116 compliant). Learn more
3/3
Open Redirect
No open redirect vulnerabilities detected via common parameters. Learn more
5/5
Exposed Sensitive Paths
Critical: /phpinfo.php, /actuator, /elmah.axd, /.env, /server-status are publicly accessible (information disclosure risk). Also found: /admin, /wp-login.php, /wp-admin. Learn more
0/5
Content Security
C53%
Mixed Content
No mixed content detected. All resources use HTTPS. Learn more
5/5
Subresource Integrity
53 of 53 external resources missing SRI: script: data:application/x-javascript; charset=utf-8;base64,Oy8qRkJfUEtHX0RFTElNKi8KCnZh; script: data:application/x-javascript; charset=utf-8;base64,Oy8qRkJfUEtHX0RFTElNKi8KCl9f; script: data:application/x-javascript; charset=utf-8;base64,Oy8qRkJfUEtHX0RFTElNKi8KCl9i (+50 more). Learn more
0/5
Redirect Chain
1 redirect across 2 domains. Moderate redirect chain. Learn more
3/5
Email Security
B77%
SPF Record
SPF record found: v=spf1 redirect=_spf.facebook.com Learn more
3/3
DMARC Policy
DMARC policy set to "reject" — spoofed emails will be rejected. Learn more
4/4
DKIM Signing
DKIM record found for selector: default. Learn more
3/3
DNSSEC
DNSSEC is not enabled. DNS responses could be spoofed. Learn more
0/3
Recommendations
- 1criticalRestrict access to admin and sensitive paths using IP allowlists or authentication.
- 2criticalInstall a valid SSL certificate and ensure it is not expired.
- 3highRemove 'unsafe-eval' from CSP to prevent dynamic code execution via eval().
- 4highAdd a Strict-Transport-Security header with max-age=31536000 and includeSubDomains.
Show fix
# nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # Apache Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" # Vercel (vercel.json) { "headers": [{ "source": "/(.*)", "headers": [{ "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" }] }] } - 5highSet Secure, HttpOnly, and SameSite flags on all cookies, especially session cookies.
- 6mediumSet Referrer-Policy to strict-origin-when-cross-origin or stricter.
Show fix
# nginx add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Apache Header always set Referrer-Policy "strict-origin-when-cross-origin" # Vercel (vercel.json) { "headers": [{ "source": "/(.*)", "headers": [{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }] }] } - 7mediumAdd integrity attributes to external scripts and stylesheets to prevent supply chain attacks.
- 8mediumRemove 'unsafe-inline' from CSP and use nonces or hashes for inline scripts.
- 9lowAdd a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.
- 10lowAdd a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.
- 11lowEnable DNSSEC to protect against DNS spoofing attacks.
- 12lowReduce the number of redirects in your URL chain. Excessive redirects slow page loads and may indicate URL obfuscation.
This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.