Website Health Check

Scanned 19/03/2026

B77/100

askarthur.au

https://www.askarthur.au/

1.3s31 checks

Twitter LinkedIn

HTTPS & TLS

A+ (100%)

SSL Certificate5/5

Valid SSL certificate from Let's Encrypt - R12, expires in 57 days. Learn more ↗

TLS 1.2 Support10/10

TLS 1.2 is supported. Learn more ↗

TLS 1.3 Support5/5

TLS 1.3 is supported (latest version, best performance). Learn more ↗

TLS 1.0 Disabled5/5

TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more ↗

TLS 1.1 Disabled5/5

TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more ↗

Security Headers

C (64%)

Strict-Transport-Security15/15

HSTS enabled with max-age=63072000, includeSubDomains, preload. Learn more ↗

X-Content-Type-Options5/5

X-Content-Type-Options is set to nosniff. Learn more ↗

X-Frame-Options5/5

X-Frame-Options is set to DENY. Learn more ↗

Referrer-Policy5/5

Referrer-Policy is set to strict-origin-when-cross-origin. Learn more ↗

Cache-Control1/3

Cache-Control is "public, max-age=0, must-revalidate" but does not include no-store or private. Sensitive pages may be cached. Learn more ↗

Cross-Origin-Embedder-Policy0/3

Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more ↗

Cross-Origin-Opener-Policy0/3

Cross-Origin-Opener-Policy header is missing. Page may be accessed by cross-origin windows. Learn more ↗

Cross-Origin-Resource-Policy0/3

Cross-Origin-Resource-Policy header is missing. Resources may be loaded by any origin. Learn more ↗

CORS Policy1/3

Access-Control-Allow-Origin is set to wildcard (*). Any origin can make cross-origin requests. Learn more ↗

Cookie Security0/5

No Set-Cookie headers found. Learn more ↗

Content Security Policy

B (75%)

Content Security Policy10/10

CSP is configured with 13 directives. Learn more ↗

CSP unsafe-inline0/5

CSP allows 'unsafe-inline' which weakens XSS protection. Learn more ↗

CSP unsafe-eval5/5

CSP does not use unsafe-eval. Learn more ↗

Permissions Policy

C (50%)

Permissions Policy5/10

Permissions-Policy only restricts 4/7 sensitive features. Learn more ↗

Server Security

A (87%)

Server Header Disclosure5/5

Server header shows "Vercel" (CDN/platform, not a disclosure concern). Learn more ↗

Domain Blacklist5/5

Domain is not listed on any of the 3 DNS blacklists checked. Learn more ↗

security.txt0/3

No security.txt file found. Consider adding one for security researchers. Learn more ↗

Open Redirect5/5

No open redirect vulnerabilities detected via common parameters. Learn more ↗

Exposed Sensitive Paths5/5

No common admin or sensitive paths are publicly exposed. Learn more ↗

Content Security

A+ (100%)

Mixed Content5/5

No mixed content detected. All resources use HTTPS. Learn more ↗

Subresource Integrity5/5

No external scripts or stylesheets found — SRI not needed. Learn more ↗

Redirect Chain5/5

No redirects detected — URL resolves directly. Learn more ↗

Email Security

D (46%)

SPF Record3/3

SPF record found: v=spf1 include:secureserver.net -all Learn more ↗

DMARC Policy2/4

DMARC policy set to "quarantine" — spoofed emails may be flagged. Consider upgrading to "reject". Learn more ↗

DKIM Signing1/3

No DKIM records found for common selectors. DKIM may use a custom selector not checked here. Learn more ↗

DNSSEC0/3

DNSSEC is not enabled. DNS responses could be spoofed. Learn more ↗

Recommendations

1
medium{"text":"Add a Permissions-Policy header restricting camera, microphone, geolocation, and payment.","severity":"medium","snippet":"# nginx\nadd_header Permissions-Policy \"camera=(), microphone=(), geolocation=(), payment=()\" always;\n\n# Apache\nHeader always set Permissions-Policy \"camera=(), microphone=(), geolocation=(), payment=()\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Permissions-Policy\", \"value\": \"camera=(), microphone=(), geolocation=(), payment=()\" }] }] }"}
2
medium{"text":"Remove 'unsafe-inline' from CSP and use nonces or hashes for inline scripts.","severity":"medium"}
3
medium{"text":"Add a DMARC record with p=reject at _dmarc.yourdomain.com to block spoofed emails.","severity":"medium"}
4
medium{"text":"Add Cache-Control: no-store or private to prevent sensitive pages from being cached.","severity":"medium","snippet":"# nginx\nadd_header Cache-Control \"no-store\" always;\n\n# Apache\nHeader always set Cache-Control \"no-store\"\n\n# Vercel (vercel.json)\n{ \"headers\": [{ \"source\": \"/(.*)\", \"headers\": [{ \"key\": \"Cache-Control\", \"value\": \"no-store\" }] }] }"}
5
medium{"text":"Add a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.","severity":"low"}
6
medium{"text":"Add a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.","severity":"low"}
7
medium{"text":"Add a Cross-Origin-Resource-Policy: same-origin header to prevent your resources from being loaded by other origins.","severity":"low"}
8
medium{"text":"Enable DNSSEC to protect against DNS spoofing attacks.","severity":"low"}
9
medium{"text":"Restrict Access-Control-Allow-Origin to specific trusted origins instead of using wildcard (*).","severity":"low"}
10
medium{"text":"Configure DKIM signing for your email to authenticate outgoing messages.","severity":"low"}

This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.