Category hub

Security

HTTPS, security headers, mixed content, and access controls.

16 issuesbelow — sorted by severity, with the critical and high-severity ones first because they're what you should fix this week. Each entry links to a single page with the symptom, the root cause, the actual code or config change to ship, and a free scan that checks if the issue applies to your site right now.

critical1 issue

Pages Served Over HTTP (Not HTTPS)

Pages delivered over plain HTTP expose user data, reduce trust, and receive a Google ranking penalty.

#https#security#ssl

→

high5 issues

Cookies Missing Secure or HttpOnly Flags

Some cookies lack Secure or HttpOnly flags, exposing them to interception or JavaScript access.

#cookies#session-security#xss#csrf

→

HTTPS Pages Reference HTTP Resources (Mixed Content)

HTTPS pages that load resources (like images, scripts, or stylesheets) over HTTP create mixed content. This undermines security, can break page functionality, a

#mixed-content#https#security

→

Missing Recommended Security Headers

Missing recommended HTTP security headers leaves your site vulnerable to a range of attacks, including clickjacking, MIME-sniffing, and cross-site scripting (XS

#headers#hardening#security-baseline#csp

→

Potentially Sensitive Paths Are Accessible

Sensitive URLs such as admin panels, configuration files, or backup directories are accessible to the public and return HTTP 200, indicating they are not proper

#sensitive-paths#access-control#security

→

Weak Content Security Policy (unsafe-inline/unsafe-eval)

Your Content Security Policy allows unsafe-inline or unsafe-eval, exposing your site to XSS attacks and negating CSP protection.

#csp#xss#headers#security

→

medium7 issues

Cross-Origin `<iframe>` Without `sandbox` Attribute

Cross-origin iframes without a sandbox attribute can expose your site to security risks and supply-chain attacks.

#security#iframe#sandbox#third-party

→

External Links with target="_blank" Missing rel="noopener"

External links with target="_blank" must include rel="noopener noreferrer" to prevent security risks like tabnapping.

#tabnapping#noopener#external-links#security

→

HSTS max-age Too Short

Strict-Transport-Security max-age is set below 1 year, reducing HTTPS security and HSTS preload eligibility.

#hsts#https#headers#hardening

→

Server Header Exposes Software Version

Server response headers reveal software version, increasing security risk through information disclosure.

#information-disclosure#server-header#fingerprinting

→

SSL Certificate Expires in 49 Days

Your website's SSL certificate is set to expire in 49 days. Timely renewal is essential to prevent browsers from displaying security warnings, which can deter u

#ssl#https#certificate

→

SSL Certificate Expires in 53 Days

Your website's SSL certificate will expire in 53 days. You must renew it to maintain secure HTTPS connections and avoid browser security warnings.

#ssl#https#certificate

→

SSL Certificate Expires in 59 Days

Your website's SSL certificate will expire in 59 days. Take action now to renew it and avoid security warnings, loss of user trust, and SEO penalties.

#ssl#https#certificate

→

low3 issues

Cross-Origin Scripts Missing Subresource Integrity (SRI)

One or more external scripts are loaded without a Subresource Integrity (SRI) hash, exposing users to supply-chain attacks.

#security#sri#supply-chain#cdn

→

Missing Permissions-Policy Header

The Permissions-Policy HTTP header is missing, allowing unrestricted access to sensitive browser APIs.

#permissions-policy#headers#hardening

→

X-Powered-By Header Exposes Technology Stack

The X-Powered-By HTTP header reveals backend technology, increasing risk of targeted attacks.

#information-disclosure#x-powered-by#fingerprinting

→

Other categories

Performance Technical SEO On-Page SEO Crawl & Links Best Practices