Website Security Audit
Sample scan report — real automated scan of a public test site. Scan your site free →
Website Security & TLS Audit
Report IDCS-20260616-4C25FA03
Report date2026-06-16
Targettestphp.vulnweb.com
Standards referencedOWASP Top 10, Mozilla Observatory header model, CVSS v3.1, CIS / NIST hardening guidance
ScopePrimary host, automated remote evaluation (no authenticated or internal access)
MethodologyRemote probes of TLS, HTTP security headers, public exposure, reputation and performance. Automated remote scanning can verify only externally observable signals; controls that require manual review are marked Not Tested rather than assumed to pass.
Prepared byCloviScan — automated audit engine

This is an automated security audit, not a penetration test or compliance certification. Findings reflect signals observable from outside the target at scan time. Absence of a finding is not proof of security.

🔐AI Security Verdict & Prioritized Next StepsAt risk

Score 40/100 — the site is at risk. 2 critical/high findings should be addressed immediately.

Top 3 fixes by severity
1.
TLS certificate expired or invalid
Investigate and remediate: TLS certificate expired or invalid.
2.
Strict-Transport-Security header not set
Investigate and remediate: Strict-Transport-Security header not set.
3.
Content-Security-Policy header not set
Investigate and remediate: Content-Security-Policy header not set.

Rankings derived from real scan findings · no LLM in this path · fix labels reflect provenance of each remediation source

SECTION 2 · EXECUTIVE SUMMARY
40/ 100At riskGrade F
1 Critical1 High2 Medium3 Low7findingsFindings by severity

Automated scanning surfaced 7 findings, including 2 of critical/high severity that should be addressed first.

11 / 19
Controls tested
2
Critical + High
0
Cert days left
How this score was computed

Weighted 0–100 across: TLS certificate (25) · certificate validity (10) · HTTP security headers (30, weighted over HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) · public exposure probes (20) · reputation (20) · performance (15). Controls marked Not Tested are never counted as passing.

CHART · SECURITY POSTURE BY DOMAIN
THERP
Five-axis view of relative strength across TLS, Headers, Exposure, Reputation and Performance. Larger area is better. Axes derive from the real per-check results below.
SECTION 3 · SECURITY CONTROLS MATRIX
3 Pass8 Fail8 Not Tested

Controls marked Not Tested were not exercised by this automated remote scan and are shown for transparency — they are never counted as passing or failing.

TLS/Cert

ControlStatusSeverityOWASPSource
Valid TLS certificateFailCriticalA02 Cryptographic Failuresvia TLS probe
Certificate long-term validityFailHighA02 Cryptographic Failuresvia cert expiry check
Cipher suite & TLS version gradeNot TestedA02 Cryptographic FailuresTLS handshake detail unavailable

Headers

ControlStatusSeverityOWASPSource
Strict-Transport-SecurityFailHighA05 Security Misconfigurationvia header probe
Content-Security-PolicyFailMediumA05 Security Misconfigurationvia header probe
X-Content-Type-OptionsFailLowA05 Security Misconfigurationvia header probe
X-Frame-OptionsFailMediumA05 Security Misconfigurationvia header probe
Referrer-PolicyFailLowA01 Broken Access Controlvia header probe
Permissions-PolicyFailLowA05 Security Misconfigurationvia header probe
Cookie flags (HttpOnly / Secure / SameSite)Not TestedA05 Security Misconfigurationrequires deeper / manual review
CORS policy (ACAO with credentials)Not TestedA05 Security Misconfigurationrequires deeper / manual review

Exposure

ControlStatusSeverityOWASPSource
Public file/path exposurePassA05 Security Misconfigurationvia 9 exposure probes
Mixed-content (HTTP subresources on HTTPS)Not TestedA02 Cryptographic Failuressite not served over HTTPS / no HTML
Dependency CVE / outdated component scanNot TestedA06 Vulnerable & Outdated Componentsno version banners observed

Reputation

ControlStatusSeverityOWASPSource
Malware / reputationPassA08 Software & Data Integrity Failuresvia safe-browsing lookup
DNS blocklist (DNSBL) reputationNot TestedA08 Software & Data Integrity Failuresunavailable

DNS

ControlStatusSeverityOWASPSource
DNS records presentPassInfoA:1 MX:0 SPF:no
DMARC / DKIM email-auth gradingNot TestedA07 Identification & Authentication Failuresemail-auth DNS lookup unavailable

Network

ControlStatusSeverityOWASPSource
Open-port surface (common ports)Not TestedA05 Security Misconfigurationport probe unavailable
SECTION 4 · COMPLIANCE & EXPOSURE OVERVIEW
Overall exposure riskHigh
Framework (reference only)Relevant findings
PCI-DSS (TLS in transit)TLS issue detected
GDPR (data-in-transit)HSTS missing — downgrade risk
OWASP ASVS V9 (Communications)2 high-priority finding(s)
CIS hardening benchmarksHeader & exposure controls evaluated above

This mapping is for reference only and is not a certification of compliance with any framework.

SECTION 5 · SEVERITY-PRIORITIZED REMEDIATION PLAN

Fixing the top 3 issue(s) resolves the highest-severity exposure detected. Items are ordered Critical → Info.

1

TLS certificate expired or invalid

Critical9.0–10.0 · A02 Cryptographic Failures · CWE-298
Detected
Where / evidence: TLS probe to :443 — TLS connection timeout
Impact: Browsers warn or refuse the connection; traffic confidentiality cannot be assured.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
2

Strict-Transport-Security header not set

High7.0–8.9 · A05 Security Misconfiguration · CWE-319
Detected
Where / evidence: HEAD response for the target omitted the Strict-Transport-Security response header.
Impact: Without HSTS, an attacker can downgrade the first request to plaintext (SSL-stripping MITM).
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
3

Content-Security-Policy header not set

Medium4.0–6.9 · A05 Security Misconfiguration · CWE-1021
Detected
Where / evidence: HEAD response for the target omitted the Content-Security-Policy response header.
Impact: No CSP means injected scripts (XSS) run without a defence-in-depth backstop.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
4

X-Frame-Options header not set

Medium4.0–6.9 · A05 Security Misconfiguration · CWE-1021
Detected
Where / evidence: HEAD response for the target omitted the X-Frame-Options response header.
Impact: The page can be framed by a malicious site for clickjacking.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
5

Permissions-Policy header not set

Low0.1–3.9 · A05 Security Misconfiguration · CWE-693
Detected
Where / evidence: HEAD response for the target omitted the Permissions-Policy response header.
Impact: Powerful browser features are not explicitly restricted.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
6

Referrer-Policy header not set

Low0.1–3.9 · A01 Broken Access Control · CWE-200
Detected
Where / evidence: HEAD response for the target omitted the Referrer-Policy response header.
Impact: Full referrer URLs may leak to third parties.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)
7

X-Content-Type-Options header not set

Low0.1–3.9 · A05 Security Misconfiguration · CWE-693
Detected
Where / evidence: HEAD response for the target omitted the X-Content-Type-Options response header.
Impact: MIME-sniffing can turn an uploaded file into executable script.
How to fix: See the linked OWASP / MDN guidance for this control. (A curated, source-cited remediation is attached automatically when available.)

Manual review recommended

Remote automated scanning cannot verify the following — they require authenticated or manual testing:

Export this report

Download official reportPrint with CloviPrintRe-scan testphp.vulnweb.com
Report ID CS-20260616-4C25FA03Generated 2026-06-16T07:34:47.098ZStandards: OWASP Top 10, CVSS v3.1, Mozilla Observatory modelPrepared by CloviScan