This is a real scan of our own website — auditstack.net. Your report will look exactly like this, written in plain English.
This is a real scan — not a mockup
Everything below came from scanning auditstack.net. Your report will show results for your domain, in the same easy-to-read format.
Confused by anything? We help for free
Every scan includes free 1-to-1 support. Just reply to your results email and we'll walk you through it.
Your site has some weaknesses
We found 7 issues to fix and 3 things that look good.
Your site doesn't have rules about what content is allowed to load. This makes it easier for attackers to inject malicious scripts that could steal visitor data.
How to fix: Add a Content-Security-Policy header. Start with a report-only policy to avoid breaking things, then tighten it once you know what your site needs.
Your site doesn't tell browsers to always use a secure connection. Without this, someone on the same Wi-Fi could intercept what your visitors see.
How to fix: Add the header: Strict-Transport-Security: max-age=31536000; includeSubDomains. This tells browsers to always use HTTPS for the next year.
A cookie on your site can be sent over an unencrypted connection. It's like sending a postcard instead of a sealed letter — anyone in between can read it.
How to fix: Add the Secure flag to this cookie. This ensures it's only sent over HTTPS connections.
A cookie on your site doesn't have protections against cross-site attacks. Other websites could trick your visitors' browser into making requests on their behalf.
How to fix: Add SameSite=Lax (or Strict) to this cookie. Lax is a good default that blocks most cross-site attacks without breaking normal navigation.
Your site doesn't prevent browsers from guessing file types. An attacker could trick the browser into treating a harmless-looking file as a dangerous script.
How to fix: Add the header: X-Content-Type-Options: nosniff. It's a one-line change in your server config and has no downsides.
Your domain doesn't have a DMARC record. Without it, someone could send fake emails pretending to be from your business.
How to fix: Add a DMARC DNS record. Start with p=none to monitor, then tighten to p=quarantine once you're confident.
Your email authentication is set to 'soft fail' mode — suspicious emails get flagged but still delivered. Tightening this would better protect against spoofing.
How to fix: Change ~all to -all in your SPF record. This tells email providers to reject emails from unauthorised senders.
Your site reveals what software and version your server runs. Attackers can look up known weaknesses for that exact version.
How to fix: Hide the Server header or remove the version number in your server config.
Your security certificate is valid and up to date. Visitors can connect safely.
We identified the technologies your site uses. Not a problem — just useful to know.
Get your own report in minutes. No account needed — just enter your domain and we'll show you exactly what needs fixing.