Scan complete · 30 Apr 2026

Website Health Check

Comprehensive security & integrity auditReport ID ab5f5494

69 / 100

aussie.com.au

https://www.aussie.com.au/

3.0s scan time

31 checks performed

Above average

HTTPS & TLS

A+100%

All passing

Security Headers

D48%

Critical

Content Security Policy

B75%

Needs work

Permissions Policy

F0%

Critical

Server Security

A87%

All passing

Content Security

A87%

All passing

Email Security

C62%

Needs work

HTTPS & TLS

A+100%

SSL Certificate

Valid SSL certificate from Amazon - Amazon RSA 2048 M01, expires in 302 days. Learn more

5/5

TLS 1.2 Support

TLS 1.2 is supported. Learn more

10/10

TLS 1.3 Support

TLS 1.3 is supported (latest version, best performance). Learn more

5/5

TLS 1.0 Disabled

TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more

5/5

TLS 1.1 Disabled

TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more

5/5

Security Headers

D48%

Strict-Transport-Security

HSTS enabled with max-age=31536000, includeSubDomains. Learn more

15/15

X-Content-Type-Options

X-Content-Type-Options is set to nosniff. Learn more

5/5

X-Frame-Options

X-Frame-Options header is missing. Page may be embedded in iframes (clickjacking risk). Learn more

0/5

Referrer-Policy

Referrer-Policy is set to "no-referrer, strict-origin-when-cross-origin" which may leak URL information. Learn more

2/5

Cache-Control

Cache-Control is "public" but does not include no-store or private. Sensitive pages may be cached. Learn more

1/3

Cross-Origin-Embedder-Policy

Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more

0/3

Cross-Origin-Opener-Policy

Cross-Origin-Opener-Policy header is missing. Page may be accessed by cross-origin windows. Learn more

0/3

Cross-Origin-Resource-Policy

Cross-Origin-Resource-Policy header is missing. Resources may be loaded by any origin. Learn more

0/3

CORS Policy

Access-Control-Allow-Origin is set to wildcard (*). Any origin can make cross-origin requests. Learn more

1/3

Cookie Security

No Set-Cookie headers found. Learn more

0/5

Content Security Policy

B75%

Content Security Policy

CSP exists but missing default-src or script-src directive. Learn more

5/10

CSP unsafe-inline

CSP does not use unsafe-inline. Learn more

5/5

CSP unsafe-eval

CSP does not use unsafe-eval. Learn more

5/5

Permissions Policy

F0%

Permissions Policy

No Permissions-Policy or Feature-Policy header found. Browser features like camera, microphone, and geolocation are unrestricted. Learn more

0/10

Server Security

A87%

Server Header Disclosure

No Server header present (good — no server information disclosed). Learn more

5/5

Domain Blacklist

Domain is not listed on any of the 3 DNS blacklists checked. Learn more

5/5

Open Redirect

No open redirect vulnerabilities detected via common parameters. Learn more

5/5

Exposed Sensitive Paths

No common admin or sensitive paths are publicly exposed. Learn more

5/5

security.txt

No security.txt file found. Consider adding one for security researchers. Learn more

0/3

Content Security

A87%

Mixed Content

No mixed content detected. All resources use HTTPS. Learn more

5/5

Subresource Integrity

No external scripts or stylesheets found — SRI not needed. Learn more

5/5

Redirect Chain

1 redirect across 2 domains. Moderate redirect chain. Learn more

3/5

Email Security

C62%

SPF Record

SPF record found: v=spf1 mx include:spf-00814f01.pphosted.com include:au._netblocks.mimecast.com include:spf.protectio... Learn more

3/3

DMARC Policy

DMARC policy set to "quarantine" — spoofed emails may be flagged. Consider upgrading to "reject". Learn more

2/4

DKIM Signing

DKIM record found for selectors: selector1, selector2. Learn more

3/3

DNSSEC

DNSSEC is not enabled. DNS responses could be spoofed. Learn more

0/3

Recommendations

highImplement a Content-Security-Policy header with at least default-src and script-src directives.

Show fix

# nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'" always;

# Apache
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Content-Security-Policy", "value": "default-src 'self'; script-src 'self'" }] }] }

mediumAdd a Permissions-Policy header restricting camera, microphone, geolocation, and payment.

Show fix

# nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;

# Apache
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), payment=()" }] }] }

mediumAdd X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking.

Show fix

# nginx
add_header X-Frame-Options "DENY" always;

# Apache
Header always set X-Frame-Options "DENY"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "X-Frame-Options", "value": "DENY" }] }] }

mediumSet Referrer-Policy to strict-origin-when-cross-origin or stricter.

Show fix

# nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }] }] }

5
mediumAdd a DMARC record with p=reject at _dmarc.yourdomain.com to block spoofed emails.

mediumAdd Cache-Control: no-store or private to prevent sensitive pages from being cached.

Show fix

# nginx
add_header Cache-Control "no-store" always;

# Apache
Header always set Cache-Control "no-store"

# Vercel (vercel.json)
{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Cache-Control", "value": "no-store" }] }] }

7
lowAdd a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.
8
lowAdd a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.
9
lowAdd a Cross-Origin-Resource-Policy: same-origin header to prevent your resources from being loaded by other origins.
10
lowEnable DNSSEC to protect against DNS spoofing attacks.
11
lowReduce the number of redirects in your URL chain. Excessive redirects slow page loads and may indicate URL obfuscation.
12
lowRestrict Access-Control-Allow-Origin to specific trusted origins instead of using wildcard (*).

This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.

Raw Headers