This scan was made by Website Security Scanner at webscanner.unofix.no
Security headers are HTTP response headers that tell the browser how to handle a websiteβs content in a secure way.
4 of 8 recommended security headers found (43% score)
| Header | Status | Value | Description |
|---|---|---|---|
X-Frame-Options |
β | SAMEORIGIN | Protects against clickjacking attacks. Hackers can load your page in an invisible iframe and trick users into clicking buttons they cannot see (e.g. "Transfer money"). Value: SAMEORIGIN. Assessment: Good. |
X-Content-Type-Options |
β | nosniff | Prevents MIME-sniffing. A malicious file pretending to be an image can be executed as JavaScript and steal user data. Value: nosniff. Assessment: Good. |
Strict-Transport-Security |
β | max-age=16070400; includeSubDomains | Enforces HTTPS usage (HSTS). Without HTTPS, attackers on the same WiFi network can intercept all communication and steal passwords in plain text. Value: max-age=16070400; includeSubDomains. Assessment: Good. |
Content-Security-Policy |
β | script-src 'self' 'unsafe-inline' 'unsafe-eval' www.gstatic.com www.google.com *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com connect.facebook.net cdnjs.cloudflare.com; frame-src 'self' www.gstatic.com www.google.com *.youtube.com *.facebook.com s-static.ak.facebook.com; object-src 'self' | Controls which resources can be loaded. Malicious scripts from third parties can run on your page and steal user data or spread malware. Value: script-src 'self' 'unsafe-inline' 'unsafe-eval' www.gstatic.com www.google.com *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com connect.facebook.net cdnjs.cloudflare.com; frame-src 'self' www.gstatic.com www.google.com *.youtube.com *.facebook.com s-static.ak.facebook.com; object-src 'self'. Assessment: Unsafe. Notes: script-src contains unsafe-eval (high risk). script-src contains unsafe-inline (weakens XSS protection). |
Referrer-Policy |
β | Not set | Controls what referrer information is sent. Sensitive URLs (e.g. /reset-password?token=abc123) can leak to third parties via analytics or ads. Status: Not set. |
Permissions-Policy |
β | Not set | Controls access to browser features (camera, microphone, GPS). Malicious code or third-party scripts can secretly activate camera/microphone and spy on the user. Status: Not set. |
Cross-Origin-Opener-Policy |
β | Not set | Isolates your window from cross-origin windows. A malicious popup window can read data from your page via window.opener and steal sensitive information. Status: Not set. |
Cross-Origin-Resource-Policy |
β | Not set | Controls who can load your resources. Other websites can steal bandwidth by hotlinking to your images, or read pixel data from cross-origin images. Status: Not set. |
No exposed files or directories found. Checked 49 file locations and 6 directories.
Valid SSL certificate from trusted Certificate Authority. Certificate expires in 294 days.
| Status | β Valid |
|---|---|
| Issued To | *.hu-go.hu |
| Issued By | e-Szigno SSL CA 2014 |
| Valid Until | 2026-11-29 11:21:13 |
| Days Until Expiry | 294 days |
2 of 2 cookie(s) have CRITICAL security issues (25% score) - Immediate action required!
| Cookie Name | Security Flags | Score | Risk | Issues |
|---|---|---|---|---|
CAKEPHP2quf...e330 |
β Secureπ‘οΈ HttpOnlyβ SameSite |
45% | π΄ HIGH |
|
CAKEPHPosrb...so90 |
β Secureπ‘οΈ HttpOnlyβ SameSite |
45% | π΄ HIGH |
|
1 server information header(s) disclosed. Consider hiding these to reduce attack surface.
| Header | Status | Value | Risk |
|---|---|---|---|
Server |
β Exposed | nginx | Server software disclosed (nginx) but no version number. Consider hiding this header completely. |
X-Powered-By |
β Hidden | Not present | Header not present (good - no information disclosure) |
X-AspNet-Version |
β Hidden | Not present | Header not present (good - no information disclosure) |
X-AspNetMvc-Version |
β Hidden | Not present | Header not present (good - no information disclosure) |
X-Generator |
β Hidden | Not present | Header not present (good - no information disclosure) |