Website Health Check

Scanned 14/04/2026

B72/100

facebook.com

https://www.facebook.com/

1.5s31 checks

Twitter LinkedIn

HTTPS & TLS

A (93%)

SSL Certificate3/5

SSL certificate expires in 7 days. Renew soon. Learn more ↗

TLS 1.2 Support10/10

TLS 1.2 is supported. Learn more ↗

TLS 1.3 Support5/5

TLS 1.3 is supported (latest version, best performance). Learn more ↗

TLS 1.0 Disabled5/5

TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more ↗

TLS 1.1 Disabled5/5

TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more ↗

Security Headers

C (56%)

Strict-Transport-Security7/15

HSTS configured but max-age is 15552000 (recommended: 31536000+), missing includeSubDomains. Learn more ↗

X-Content-Type-Options5/5

X-Content-Type-Options is set to nosniff. Learn more ↗

X-Frame-Options5/5

X-Frame-Options is set to DENY. Learn more ↗

Referrer-Policy0/5

Referrer-Policy header is missing. Full URLs may be sent in referrer headers. Learn more ↗

Cache-Control3/3

Cache-Control is set to "private, no-cache, no-store, must-revalidate". Learn more ↗

Cross-Origin-Embedder-Policy0/3

Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more ↗

Cross-Origin-Opener-Policy0/3

Cross-Origin-Opener-Policy is set to "unsafe-none" (expected: same-origin). Learn more ↗

Cross-Origin-Resource-Policy3/3

Cross-Origin-Resource-Policy is set to same-origin. Learn more ↗

CORS Policy3/3

No Access-Control-Allow-Origin header present. Cross-origin requests are restricted by default. Learn more ↗

Cookie Security2/5

Some cookies missing flags: "fr" missing SameSite; "sb" missing SameSite. Learn more ↗

Content Security Policy

C (50%)

Content Security Policy10/10

CSP is configured with 14 directives. Learn more ↗

CSP unsafe-inline0/5

CSP allows 'unsafe-inline' which weakens XSS protection. Learn more ↗

CSP unsafe-eval0/5

CSP allows 'unsafe-eval' which permits arbitrary code execution via eval(). Learn more ↗

Permissions Policy

A+ (100%)

Permissions Policy10/10

Permissions-Policy restricts 7/7 sensitive features. Learn more ↗

Server Security

B (78%)

Server Header Disclosure5/5

No Server header present (good — no server information disclosed). Learn more ↗

Domain Blacklist5/5

Domain is not listed on any of the 3 DNS blacklists checked. Learn more ↗

security.txt3/3

security.txt found with Contact and Expires fields (RFC 9116 compliant). Learn more ↗

Open Redirect5/5

No open redirect vulnerabilities detected via common parameters. Learn more ↗

Exposed Sensitive Paths0/5

Critical: /phpinfo.php, /actuator, /elmah.axd, /.env, /server-status are publicly accessible (information disclosure risk). Also found: /admin, /wp-login.php, /wp-admin. Learn more ↗

Content Security

C (53%)

Mixed Content5/5

No mixed content detected. All resources use HTTPS. Learn more ↗

Subresource Integrity0/5

53 of 53 external resources missing SRI: script: data:application/x-javascript; charset=utf-8;base64,Oy8qRkJfUEtHX0RFTElNKi8KCnZh; script: data:application/x-javascript; charset=utf-8;base64,Oy8qRkJfUEtHX0RFTElNKi8KCl9f; script: data:application/x-javascript; charset=utf-8;base64,Oy8qRkJfUEtHX0RFTElNKi8KCl9i (+50 more). Learn more ↗

Redirect Chain3/5

1 redirect across 2 domains. Moderate redirect chain. Learn more ↗

Email Security

B (77%)

SPF Record3/3

SPF record found: v=spf1 redirect=_spf.facebook.com Learn more ↗

DMARC Policy4/4

DMARC policy set to "reject" — spoofed emails will be rejected. Learn more ↗

DKIM Signing3/3

DKIM record found for selector: default. Learn more ↗

DNSSEC0/3

DNSSEC is not enabled. DNS responses could be spoofed. Learn more ↗

Recommendations

1
medium{"text":"Restrict access to admin and sensitive paths using IP allowlists or authentication.","severity":"critical"}
2
medium{"text":"Install a valid SSL certificate and ensure it is not expired.","severity":"critical"}
3
medium{"text":"Remove 'unsafe-eval' from CSP to prevent dynamic code execution via eval().","severity":"high"}
4
medium{"text":"Add a Strict-Transport-Security header with max-age=31536000 and includeSubDomains.","severity":"high","snippet":"# nginx\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\n\n# Apache\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Strict-Transport-Security\", \"value\": \"max-age=31536000; includeSubDomains\" }] }] }"}
5
medium{"text":"Set Secure, HttpOnly, and SameSite flags on all cookies, especially session cookies.","severity":"high"}
6
medium{"text":"Set Referrer-Policy to strict-origin-when-cross-origin or stricter.","severity":"medium","snippet":"# nginx\nadd_header Referrer-Policy \"strict-origin-when-cross-origin\" always;\n\n# Apache\nHeader always set Referrer-Policy \"strict-origin-when-cross-origin\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Referrer-Policy\", \"value\": \"strict-origin-when-cross-origin\" }] }] }"}
7
medium{"text":"Add integrity attributes to external scripts and stylesheets to prevent supply chain attacks.","severity":"medium"}
8
medium{"text":"Remove 'unsafe-inline' from CSP and use nonces or hashes for inline scripts.","severity":"medium"}
9
medium{"text":"Add a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.","severity":"low"}
10
medium{"text":"Add a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.","severity":"low"}
11
medium{"text":"Enable DNSSEC to protect against DNS spoofing attacks.","severity":"low"}
12
medium{"text":"Reduce the number of redirects in your URL chain. Excessive redirects slow page loads and may indicate URL obfuscation.","severity":"low"}

This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.