Website Security Audit
Website Security & TLS Audit
Report IDCS-20260617-A8A86456
Report date2026-06-17
Targetclovitek.com
Standards referencedOWASP Top 10, Mozilla Observatory header model, CVSS v3.1, CIS / NIST hardening guidance
ScopePrimary host, automated remote evaluation (no authenticated or internal access)
MethodologyRemote probes of TLS, HTTP security headers, public exposure, reputation and performance. Automated remote scanning can verify only externally observable signals; controls that require manual review are marked Not Tested rather than assumed to pass.
Prepared byCloviScan — automated audit engine

This is an automated security audit, not a penetration test or compliance certification. Findings reflect signals observable from outside the target at scan time. Absence of a finding is not proof of security.

🔐AI Security Verdict & Prioritized Next StepsAt risk

Score 66/100 — the site is at risk. 1 critical/high findings should be addressed immediately.

Top 3 fixes by severity
1.
Strict-Transport-Security header not set
Investigate and remediate: Strict-Transport-Security header not set.
2.
Content-Security-Policy header not set
Investigate and remediate: Content-Security-Policy header not set.
3.
HTTP-alt port 8080 is internet-reachable
Investigate and remediate: HTTP-alt port 8080 is internet-reachable.

Rankings derived from real scan findings · no LLM in this path · fix labels reflect provenance of each remediation source

🔍Live Detonation AnalysisOptional

Open this URL inside a disposable, isolated browser container — it is never opened on a real machine. Captures the real rendered page, redirect chain, HTTP status, and a screenshot.

🔍 Run Live Detonation

The URL is opened only inside an isolated container with no access to our network. Container is destroyed immediately after capture.

Verify (Re-scan)Optional

Run a fresh scan right now to see what has changed since this report was generated. Shows score delta, resolved findings, and any new findings side-by-side.

Re-scan uses the same checks as the original scan. Results are cached after the verify run.

SECTION 2 · EXECUTIVE SUMMARY
66/ 100At riskGrade C
1 High3 Medium6 Low10findingsFindings by severity

Automated scanning surfaced 10 findings, including 1 of critical/high severity that should be addressed first.

17 / 21
Controls tested
1
Critical + High
87
Cert days left
🟢 Clean
Reputation
How this score was computed

Weighted 0–100 across: TLS certificate (25) · certificate validity (10) · HTTP security headers (30, weighted over HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) · public exposure probes (20) · reputation (20) · performance (15). Controls marked Not Tested are never counted as passing.

Category Ratings
ATLSFHeadersBDNS/EmailAReputationBOverall
CHART · SECURITY POSTURE BY DOMAIN
THERP
Five-axis view of relative strength across TLS, Headers, Exposure, Reputation and Performance. Larger area is better. Axes derive from the real per-check results below.
SECTION 3 · SECURITY CONTROLS MATRIX
10 Pass7 Fail4 Not Tested

Controls marked Not Tested were not exercised by this automated remote scan and are shown for transparency — they are never counted as passing or failing.

TLS/Cert

ControlStatusSeverityOWASPSource
Valid TLS certificatePassA02 Cryptographic Failuresvia TLS probe — issuer Google Trust Services, expires 2026-09-12
Certificate long-term validityPassA02 Cryptographic Failuresvia cert expiry check — 87 days remaining
Cipher suite & TLS version gradePassA02 Cryptographic Failuresvia handshake — TLSv1.3 / TLS_AES_256_GCM_SHA384

Headers

ControlStatusSeverityOWASPSource
Strict-Transport-SecurityFailHighA05 Security Misconfigurationvia header probe
Content-Security-PolicyFailMediumA05 Security Misconfigurationvia header probe
X-Content-Type-OptionsPassA05 Security Misconfigurationvia header probe
X-Frame-OptionsFailMediumA05 Security Misconfigurationvia header probe
Referrer-PolicyFailLowA01 Broken Access Controlvia header probe
Permissions-PolicyFailLowA05 Security Misconfigurationvia header probe
Cookie flags (HttpOnly / Secure / SameSite)Not TestedA05 Security Misconfigurationrequires deeper / manual review
CORS policy (ACAO with credentials)Not TestedA05 Security Misconfigurationrequires deeper / manual review

Exposure

ControlStatusSeverityOWASPSource
Public file/path exposureFailMediumA05 Security Misconfigurationvia 8 exposure probes
Mixed-content (HTTP subresources on HTTPS)PassA02 Cryptographic Failuresvia homepage HTML parse — none found
Dependency CVE / outdated component scanPassA06 Vulnerable & Outdated Componentsvia banner fingerprint — 0 component(s) identified

Reputation

ControlStatusSeverityOWASPSource
Malware / reputationPassA08 Software & Data Integrity Failuresvia safe-browsing lookup
DNS blocklist (DNSBL) reputationPassA08 Software & Data Integrity Failuresvia DNSBL — clean on 3 lists
Sucuri blacklist checkNot TestedA08 Software & Data Integrity FailuresSucuri data not available
Malware signature scan (Sucuri)Not TestedA08 Software & Data Integrity FailuresSucuri data not available

DNS

ControlStatusSeverityOWASPSource
DNS records presentPassInfoA:2 MX:1 SPF:yes
DMARC / DKIM email-auth gradingPassA07 Identification & Authentication FailuresSPF:yes DMARC:yes DKIM:hint

Network

ControlStatusSeverityOWASPSource
Open-port surface (common ports)FailMediumA05 Security Misconfigurationexternal-vantage TCP probe to 172.67.132.164 — 3/14 open
SECTION 4 · COMPLIANCE & EXPOSURE OVERVIEW
Overall exposure riskHigh
Framework (reference only)Relevant findings
PCI-DSS (TLS in transit)TLS present
GDPR (data-in-transit)HSTS missing — downgrade risk
OWASP ASVS V9 (Communications)1 high-priority finding(s)
CIS hardening benchmarksHeader & exposure controls evaluated above

This mapping is for reference only and is not a certification of compliance with any framework.

SECTION 4b · DOMAIN INTELLIGENCE

Registration, DNS posture, email-authentication and network-surface intelligence gathered via standard remote lookups (WHOIS, DNS, TCP connect probe). External-safe — no intrusive scanning.

Registration (WHOIS)

RegistrarCloudflare, Inc.
Created2016-08-14T20:13:54Z (~9y 308d old)
Expires2026-08-14T20:13:54Z (58 days)
Last updated2025-07-15T04:02:35Z

DNS & email authentication

A records104.21.13.85, 172.67.132.164
MX recordsmail.clovitek.com
NS recordswoz.ns.cloudflare.com, kay.ns.cloudflare.com
SPFYes v=spf1 ip4:158.220.120.58 a mx include:_spf.emailit.com ~all
DMARCYes v=DMARC1; p=none; rua=mailto:[email protected]; fo=1; adkim=r; aspf=r
DKIM (selector hint)Yes
CAAssl.com, pki.goog; cansignhttpexchanges=yes, globalsign.com, letsencrypt.org

DNSBL reputation: IP 172.67.132.164 — clean on 3 blocklists.

Open-port surface (3/14 common web ports reachable)

PortServiceRiskNote
80HTTPINFOPlain HTTP open (expected if it redirects to HTTPS).
443HTTPSINFOHTTPS open (expected).
8080HTTP-altMEDIUMPort 8080 open to the internet — often exposes an admin panel or internal app server. Should not be publicly reachable.

TLS handshake: TLSv1.3 · cipher TLS_AES_256_GCM_SHA384 · 256-bit key.

SECTION 5 · SEVERITY-PRIORITIZED REMEDIATION PLAN

Fixing the top 3 issue(s) resolves the highest-severity exposure detected. Items are ordered Critical → Info.

1

Strict-Transport-Security header not set

High7.0–8.9 · A05 Security Misconfiguration · CWE-319
Detected
Where / evidence: HEAD response for the target omitted the Strict-Transport-Security response header.
Impact: Without HSTS, an attacker can downgrade the first request to plaintext (SSL-stripping MITM).
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
2

Content-Security-Policy header not set

Medium4.0–6.9 · A05 Security Misconfiguration · CWE-1021
Detected
Where / evidence: HEAD response for the target omitted the Content-Security-Policy response header.
Impact: No CSP means injected scripts (XSS) run without a defence-in-depth backstop.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
3

HTTP-alt port 8080 is internet-reachable

Medium4.0–6.9 · A05 Security Misconfiguration · CWE-668
Detected
Where / evidence: TCP connect to public IP 172.67.132.164:8080 succeeded from an external vantage — HTTP-alt reachable from the internet.
Impact: Port 8080 open to the internet — often exposes an admin panel or internal app server. Should not be publicly reachable.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
4

X-Frame-Options header not set

Medium4.0–6.9 · A05 Security Misconfiguration · CWE-1021
Detected
Where / evidence: HEAD response for the target omitted the X-Frame-Options response header.
Impact: The page can be framed by a malicious site for clickjacking.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
5

dns_dmarc_duplicate

Low0.1–3.9 · A05 Security Misconfiguration · CWE-200
Detected
Where / evidence: Multiple DMARC records found for _dmarc.clovitek.com — RFC 7489 requires exactly one. This causes unpredictable policy enforcement
Impact: Publicly reachable resource that should not be exposed.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
6

dns_dmarc_weak

Low0.1–3.9 · A05 Security Misconfiguration · CWE-200
Detected
Where / evidence: DMARC policy is p=none — spoofed mail is monitored but not rejected. Upgrade to p=quarantine or p=reject to block spoofed mail
Impact: Publicly reachable resource that should not be exposed.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
7

dns_no_dnssec

Low0.1–3.9 · A05 Security Misconfiguration · CWE-200
Detected
Where / evidence: No DNSSEC DS record found for clovitek.com — DNS responses may be tampered with
Impact: Publicly reachable resource that should not be exposed.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
8

dns_spf_softfail

Low0.1–3.9 · A05 Security Misconfiguration · CWE-200
Detected
Where / evidence: SPF record uses ~all (softfail) — mail from unauthorized senders is accepted but tagged. Use -all (hardfail) to reject spoofed mail outright
Impact: Publicly reachable resource that should not be exposed.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
9

Permissions-Policy header not set

Low0.1–3.9 · A05 Security Misconfiguration · CWE-693
Detected
Where / evidence: HEAD response for the target omitted the Permissions-Policy response header.
Impact: Powerful browser features are not explicitly restricted.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
10

Referrer-Policy header not set

Low0.1–3.9 · A01 Broken Access Control · CWE-200
Detected
Where / evidence: HEAD response for the target omitted the Referrer-Policy response header.
Impact: Full referrer URLs may leak to third parties.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)

Manual review recommended

Remote automated scanning cannot verify the following — they require authenticated or manual testing:

Check Accessibility with CloviAble
CloviScan checks security. CloviAble checks WCAG accessibility — a legally required dimension your security score doesn't cover.
Free Accessibility Report →

Export this report

Download official report⬇ Download Clean PDFRe-scan clovitek.com
Report ID CS-20260617-A8A86456Generated 2026-06-17T17:00:58.436ZStandards: OWASP Top 10, CVSS v3.1, Mozilla Observatory modelPrepared by CloviScan