Scan complete · 3 May 2026

Website Health Check

Comprehensive security & integrity auditReport ID a761b473

52 / 100

formediagroup.co.uk

https://www.formediagroup.co.uk/

5.2s scan time

31 checks performed

Needs work

HTTPS & TLS

A+100%

All passing

Security Headers

D44%

Critical

Content Security Policy

F0%

Critical

Permissions Policy

F0%

Critical

Server Security

B70%

Needs work

Content Security

B67%

Needs work

Email Security

C62%

Needs work

HTTPS & TLS

A+100%

SSL Certificate

Valid SSL certificate from Let's Encrypt - E7, expires in 86 days. Learn more

5/5

TLS 1.2 Support

TLS 1.2 is supported. Learn more

10/10

TLS 1.3 Support

TLS 1.3 is supported (latest version, best performance). Learn more

5/5

TLS 1.0 Disabled

TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more

5/5

TLS 1.1 Disabled

TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more

5/5

Security Headers

D44%

Strict-Transport-Security

HSTS configured but max-age is 2592000 (recommended: 31536000+), missing includeSubDomains. Learn more

7/15

X-Content-Type-Options

X-Content-Type-Options is set to nosniff. Learn more

5/5

X-Frame-Options

X-Frame-Options header is missing. Page may be embedded in iframes (clickjacking risk). Learn more

0/5

Referrer-Policy

Referrer-Policy is set to "no-referrer-when-downgrade" which may leak URL information. Learn more

2/5

Cache-Control

Cache-Control is set to "no-cache, no-store, must-revalidate". Learn more

3/3

Cross-Origin-Embedder-Policy

Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more

0/3

Cross-Origin-Opener-Policy

Cross-Origin-Opener-Policy header is missing. Page may be accessed by cross-origin windows. Learn more

0/3

Cross-Origin-Resource-Policy

Cross-Origin-Resource-Policy header is missing. Resources may be loaded by any origin. Learn more

0/3

CORS Policy

No Access-Control-Allow-Origin header present. Cross-origin requests are restricted by default. Learn more

3/3

Cookie Security

Some cookies missing flags: "previousFmgUrl" missing Secure, HttpOnly, SameSite; "db7ecff34996fb7ae8516af24249ec47_commerce_cart" missing SameSite; "CRAFT_CSRF_TOKEN" missing SameSite. Learn more

2/5

Content Security Policy

F0%

Content Security Policy

No Content-Security-Policy header found. The site has no XSS mitigation via CSP. Learn more

0/10

CSP unsafe-inline

No CSP header to check for unsafe-inline. Learn more

0/5

CSP unsafe-eval

No CSP header to check for unsafe-eval. Learn more

0/5

Permissions Policy

F0%

Permissions Policy

No Permissions-Policy or Feature-Policy header found. Browser features like camera, microphone, and geolocation are unrestricted. Learn more

0/10

Server Security

B70%

Server Header Disclosure

Server header shows "cloudflare" (CDN/platform, not a disclosure concern). Learn more

5/5

Domain Blacklist

Domain is not listed on any of the 3 DNS blacklists checked. Learn more

5/5

Exposed Sensitive Paths

Critical: /actuator, /server-status, /elmah.axd are publicly accessible (information disclosure risk). Learn more

0/5

security.txt

security.txt exists but is missing the required Contact: field (RFC 9116). Learn more

1/3

Open Redirect

No open redirect vulnerabilities detected via common parameters. Learn more

5/5

Content Security

B67%

Mixed Content

No mixed content detected. All resources use HTTPS. Learn more

5/5

Subresource Integrity

6 of 6 external resources missing SRI: script: https://consent.cookiebot.com/uc.js; script: https://js.stripe.com/v3/; script: https://cdn.jwplayer.com/libraries/Hdh0MCeF.js (+3 more). Learn more

0/5

Redirect Chain

No redirects detected — URL resolves directly. Learn more

5/5

Email Security

C62%

DNSSEC

DNSSEC is not enabled. DNS responses could be spoofed. Learn more

0/3

SPF Record

SPF record found: v=spf1 include:secureserver.net -all Learn more

3/3

DMARC Policy

DMARC policy set to "quarantine" — spoofed emails may be flagged. Consider upgrading to "reject". Learn more

2/4

DKIM Signing

DKIM record found for selector: selector1. Learn more

3/3

Recommendations

1
criticalRestrict access to admin and sensitive paths using IP allowlists or authentication.

highImplement a Content-Security-Policy header with at least default-src and script-src directives.

Show fix

# nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'" always;

# Apache
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Content-Security-Policy", "value": "default-src 'self'; script-src 'self'" }] }] }

highAdd a Strict-Transport-Security header with max-age=31536000 and includeSubDomains.

Show fix

# nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Strict-Transport-Security", "value": "max-age=31536000; includeSubDomains" }] }] }

4
highSet Secure, HttpOnly, and SameSite flags on all cookies, especially session cookies.

mediumAdd a Permissions-Policy header restricting camera, microphone, geolocation, and payment.

Show fix

# nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;

# Apache
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), payment=()" }] }] }

mediumAdd X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking.

Show fix

# nginx
add_header X-Frame-Options "DENY" always;

# Apache
Header always set X-Frame-Options "DENY"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "X-Frame-Options", "value": "DENY" }] }] }

7
mediumAdd integrity attributes to external scripts and stylesheets to prevent supply chain attacks.

mediumSet Referrer-Policy to strict-origin-when-cross-origin or stricter.

Show fix

# nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }] }] }

9
mediumAdd a DMARC record with p=reject at _dmarc.yourdomain.com to block spoofed emails.
10
lowAdd a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.
11
lowAdd a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.
12
lowAdd a Cross-Origin-Resource-Policy: same-origin header to prevent your resources from being loaded by other origins.
13
lowEnable DNSSEC to protect against DNS spoofing attacks.
14
lowAdd a /.well-known/security.txt file (RFC 9116) with contact information for security researchers.

This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.

Raw Headers