Scan complete · 1 May 2026
Website Health Check
A
80 / 100
cloud.microsoft
https://m365.cloud.microsoft/
0.5s scan time
31 checks performed
A
Excellent
HTTPS & TLS
A+100%
All passingSecurity Headers
A82%
All passingContent Security Policy
B75%
Needs workPermissions Policy
F0%
CriticalServer Security
A91%
All passingContent Security
A80%
All passingEmail Security
A+100%
All passingHTTPS & TLS
A+100%
TLS 1.2 Support
TLS 1.2 is supported. Learn more
10/10
TLS 1.3 Support
TLS 1.3 is supported (latest version, best performance). Learn more
5/5
TLS 1.0 Disabled
TLS 1.0 is disabled (deprecated protocol correctly rejected). Learn more
5/5
TLS 1.1 Disabled
TLS 1.1 is disabled (deprecated protocol correctly rejected). Learn more
5/5
SSL Certificate
Valid SSL certificate from Microsoft Corporation - Microsoft TLS G2 RSA CA OCSP 02, expires in 122 days. Learn more
5/5
Security Headers
A82%
Strict-Transport-Security
HSTS enabled with max-age=31536000, includeSubDomains. Learn more
15/15
X-Content-Type-Options
X-Content-Type-Options is set to nosniff. Learn more
5/5
X-Frame-Options
X-Frame-Options is set to SAMEORIGIN. Learn more
5/5
Referrer-Policy
Referrer-Policy is set to strict-origin-when-cross-origin. Learn more
5/5
Cache-Control
Cache-Control is set to "no-store,no-cache". Learn more
3/3
Cross-Origin-Embedder-Policy
Cross-Origin-Embedder-Policy header is missing. Site cannot enable cross-origin isolation. Learn more
0/3
Cross-Origin-Opener-Policy
Cross-Origin-Opener-Policy header is missing. Page may be accessed by cross-origin windows. Learn more
0/3
Cross-Origin-Resource-Policy
Cross-Origin-Resource-Policy header is missing. Resources may be loaded by any origin. Learn more
0/3
CORS Policy
No Access-Control-Allow-Origin header present. Cross-origin requests are restricted by default. Learn more
3/3
Cookie Security
All 2 cookies have Secure, HttpOnly, and SameSite flags. Learn more
5/5
Content Security Policy
B75%
Content Security Policy
CSP is configured with 16 directives. Learn more
10/10
CSP unsafe-inline
CSP allows 'unsafe-inline' which weakens XSS protection. Learn more
0/5
CSP unsafe-eval
CSP does not use unsafe-eval. Learn more
5/5
Permissions Policy
F0%
Permissions Policy
No Permissions-Policy or Feature-Policy header found. Browser features like camera, microphone, and geolocation are unrestricted. Learn more
0/10
Server Security
A91%
Server Header Disclosure
No Server header present (good — no server information disclosed). Learn more
5/5
Domain Blacklist
Domain is not listed on any of the 3 DNS blacklists checked. Learn more
5/5
Exposed Sensitive Paths
No common admin or sensitive paths are publicly exposed. Learn more
5/5
Open Redirect
No open redirect vulnerabilities detected via common parameters. Learn more
5/5
security.txt
security.txt exists but is missing the required Contact: field (RFC 9116). Learn more
1/3
Content Security
A80%
Mixed Content
No mixed content detected. All resources use HTTPS. Learn more
5/5
Subresource Integrity
3 of 14 external resources missing SRI: script: https://www.microsoft.com/onerfstatics/marketingsites-wcus-prod/shell/_scrf/js/t; script: https://mem.gfx.ms/meversion?partner=office&market=en-us&uhf=1; stylesheet: https://www.microsoft.com/onerfstatics/marketingsites-wcus-prod/west-european/sh. Learn more
2/5
Redirect Chain
No redirects detected — URL resolves directly. Learn more
5/5
Email Security
A+100%
SPF Record
SPF record found: v=spf1 -all Learn more
3/3
DMARC Policy
DMARC policy set to "reject" — spoofed emails will be rejected. Learn more
4/4
DKIM Signing
DKIM record found for selectors: google, k1, selector1, default, selector2. Learn more
3/3
DNSSEC
DNSSEC is enabled — DNS responses are cryptographically signed. Learn more
3/3
Recommendations
- 1mediumAdd a Permissions-Policy header restricting camera, microphone, geolocation, and payment.
Show fix
# nginx add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always; # Apache Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" # Vercel (vercel.json) { "headers": [{ "source": "/(.*)", "headers": [{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), payment=()" }] }] } - 2mediumRemove 'unsafe-inline' from CSP and use nonces or hashes for inline scripts.
- 3mediumAdd integrity attributes to external scripts and stylesheets to prevent supply chain attacks.
- 4lowAdd a Cross-Origin-Embedder-Policy header (require-corp or credentialless) to enable cross-origin isolation.
- 5lowAdd a Cross-Origin-Opener-Policy: same-origin header to isolate your browsing context from cross-origin windows.
- 6lowAdd a Cross-Origin-Resource-Policy: same-origin header to prevent your resources from being loaded by other origins.
- 7lowAdd a /.well-known/security.txt file (RFC 9116) with contact information for security researchers.
This scan checks publicly observable security configuration. It does not test for application-level vulnerabilities, perform penetration testing, or access any private data. Results are informational only.