Security report for
bocongan.gov.vn
Scanned 2 hours ago
Executive Summary
PDF PROWe performed a comprehensive security analysis of bocongan.gov.vn across 5 categories. The website received an overall score of 82/100 (grade B+), with 3 critical issues, 4 warnings, and 22 passed checks.
Overall assessment: bocongan.gov.vn has a reasonable security foundation but there is clear room for improvement. Several issues were identified that could expose the website or its users to unnecessary risk. We recommend addressing the critical issues first, followed by the warnings outlined below.
Top priority fixes:
Strong areas
SSL & HTTPS
Content & CMS
Performance & SEO
Needs improvement
Security Headers
Needs work
DNS & Email Security
Website Health Check
Simple overview for everyoneIs my website safe for visitors?
Yes — your website uses encryption and has security protections in place.
Can my website be found by Google?
Yes — your website is accessible to search engines and loads at a reasonable speed.
Is my email protected against spoofing?
Not fully — attackers could send fake emails pretending to be from your domain. This is used in phishing attacks.
Is my website leaking sensitive data?
No leaks detected — configuration files and sensitive data appear to be properly protected.
Does my website respect visitor privacy?
Yes — a privacy policy and cookie consent appear to be in place.
Trust & WHOIS
See domain age, registrar, expiry date, server location, and reputation checks across security databases.
Malware & Reputation
Check if your site is flagged by malware databases, blacklists, and antivirus vendors worldwide.
Advanced Security Checks
Detect open ports, exposed files, API vulnerabilities, TLS weaknesses, and subdomain takeover risks.
Privacy & GDPR
Analyze cookie consent, privacy policy presence, third-party trackers, and GDPR compliance signals.
Quality & Accessibility
Check accessibility compliance, robots.txt, branding, broken links, and carbon footprint.
Unlock the full security report
This Quick Scan covers 5 categories. Upgrade to Pro for OWASP Top 10 analysis, malware detection, exposed files, and 15 more scanners.
Full report
DNS & Email Security
46/100SPF record configured
SPF record found: "v=spf1 ip4:103.122.83.60 ip4:42.96.59.139 ip4:42.96.59.73 ~all".
DMARC record configured
No DMARC record found at _dmarc.bocongan.gov.vn.
Fix: Add a TXT record to _dmarc.bocongan.gov.vn: v=DMARC1; p=quarantine; rua=mailto:dmarc@bocongan.gov.vn
CAA record configured
No CAA record found. Any Certificate Authority can issue SSL certs for your domain.
Fix: Add a CAA DNS record, e.g.: 0 issue "letsencrypt.org" to restrict SSL issuance.
DKIM record configured
DKIM record found (selector "default") — outgoing emails are cryptographically signed.
MTA-STS (email transport security)
No MTA-STS record found at _mta-sts.bocongan.gov.vn. Without it, email delivery to your domain could silently fall back to unencrypted connections.
Fix: Implement MTA-STS: add a TXT record at _mta-sts.bocongan.gov.vn with value "v=STSv1; id=YYYYMMDD01" and publish a policy file at https://mta-sts.bocongan.gov.vn/.well-known/mta-sts.txt
IPv6 support
No AAAA record found. The domain is IPv4-only.
Fix: Add an AAAA record to support IPv6. Most modern hosting providers and CDNs assign IPv6 addresses automatically.
BIMI record
No BIMI record found. BIMI lets your brand logo appear in email clients that support it — a trust and branding signal for recipients.
Fix: BIMI requires DMARC with p=quarantine or p=reject. Then add a TXT record at default._bimi.bocongan.gov.vn: v=BIMI1; l=https://yourdomain.com/logo.svg
DNSSEC
DNSSEC could not be verified via this automated check (PHP DNS resolvers strip DNSSEC data). Check with your domain registrar or use dnsviz.net to verify.
SSL & HTTPS
100/100HTTPS / SSL enabled
The website is accessible over HTTPS.
SSL certificate valid
Certificate is valid and expires on 2026-12-29 (240 days left).
HTTP redirects to HTTPS
HTTP traffic is permanently (301) redirected to HTTPS.
HSTS header configured
Strict-Transport-Security header found with max-age=31536000. includeSubDomains is set.
No weak cipher suites
Server does not accept known weak cipher suites (RC4, 3DES, EXPORT, NULL).
TLS 1.0 and 1.1 disabled
Server only accepts TLS 1.2 or higher. Deprecated TLS versions are not supported.
Content & CMS
100/100No mixed content detected
No insecure HTTP resources (scripts, images, stylesheets) found in the page HTML.
CMS admin panel not publicly accessible
No publicly accessible CMS admin interface found at common paths.
CMS version not exposed
No CMS version information found in the page source.
Subresource Integrity (SRI)
No external scripts or stylesheets without Subresource Integrity hashes detected.
No open redirect
No open redirect detected via common redirect parameters.
Directory listing disabled
Directory listing is not enabled — files cannot be browsed directly.
Security Headers
75/100Server version not disclosed
The Server header does not expose version information.
Content-Security-Policy
CSP header enforced: (policy is set)
X-Frame-Options
X-Frame-Options: SAMEORIGIN — protects against clickjacking.
X-Content-Type-Options
X-Content-Type-Options header is missing.
Fix: Add X-Content-Type-Options: nosniff to prevent browsers from MIME-sniffing responses.
Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy
Permissions-Policy header found — browser feature access is restricted.
Cookie security flags
One or more cookies are missing security flags: visid_incap_3245975 (missing: Secure, SameSite); incap_ses_1129_3245975 (missing: HttpOnly, Secure, SameSite).
Fix: Set HttpOnly (prevents JS access), Secure (HTTPS only), and SameSite=Lax or Strict on all cookies.
Cross-Origin-Opener-Policy
No Cross-Origin-Opener-Policy (COOP) header found. Note: COOP can break popup-based flows (payments, OAuth) and browser back/forward cache.
Fix: Consider adding Cross-Origin-Opener-Policy: same-origin if your site does not use cross-origin popups.
Cross-Origin-Embedder-Policy
No Cross-Origin-Embedder-Policy (COEP) header found. Note: COEP breaks external embeds (YouTube, maps, ads) that don't send CORP headers.
Fix: Consider adding Cross-Origin-Embedder-Policy: require-corp only if your site does not embed third-party content.
Performance & SEO
90/100Fast server response time (TTFB)
Time To First Byte: 1283 ms (measured from our scanner server) — acceptable but aim for under 800 ms.
Fix: Improve TTFB via server-side caching, a CDN, or optimizing database queries.
Response compression enabled
Compression is enabled (gzip) — reduces transfer size and speeds up page loads.
robots.txt present
A robots.txt file was found and is accessible.
XML sitemap present
An XML sitemap was found — helps search engines discover and index your pages.
security.txt present
No security.txt file found at /.well-known/security.txt or /security.txt.
Fix: Create a security.txt file (RFC 9116) at /.well-known/security.txt to provide security researchers with a responsible disclosure contact.
Critical issues (3)
What is this?
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to give domain owners control over what happens to emails that fail authentication checks.
Why does it matter?
SPF alone is not enough — DMARC adds a policy layer that tells receiving servers what to do with suspicious emails (monitor, quarantine, or reject). It also provides reporting so you can see who is sending email as your domain.
How to fix it
Add a TXT record to your DNS: Host: _dmarc (e.g. _dmarc.yourdomain.com) Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com Start with p=none to receive reports without affecting mail delivery: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com After analysing reports for a few weeks, upgrade to: p=quarantine → suspicious mail goes to spam p=reject → suspicious mail is blocked entirely Free DMARC report analysis: dmarcian.com, postmarkapp.com/dmarc.
What is this?
X-Content-Type-Options with the value "nosniff" tells browsers not to guess (sniff) the content type of a response, but to strictly use the Content-Type header the server sends.
Why does it matter?
Without this header, a browser might interpret an uploaded text file as JavaScript if it contains script-like content — a technique attackers can exploit to run malicious code even when file uploads are allowed.
How to fix it
Add this header to all responses: X-Content-Type-Options: nosniff Nginx: add_header X-Content-Type-Options "nosniff" always; Apache: Header always set X-Content-Type-Options "nosniff" Laravel: add to middleware or in .htaccess.
What is this?
HTTP cookies can carry security flags: HttpOnly (prevents JavaScript from reading the cookie, blocking XSS-based session theft), Secure (transmits the cookie only over HTTPS, never plain HTTP), and SameSite (controls cross-site submission, blocking CSRF attacks).
Why does it matter?
Without HttpOnly, malicious scripts injected via XSS can steal session cookies. Without Secure, cookies can leak over HTTP redirects or mixed-content requests. Without SameSite, cookies are sent with cross-site requests, enabling CSRF attacks that make users perform actions without their knowledge.
How to fix it
Add all three flags when setting cookies: Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax PHP: session_set_cookie_params([ 'httponly' => true, 'secure' => true, 'samesite' => 'Lax', ]); Laravel: in config/session.php set: 'http_only' => true, 'secure' => true, 'same_site' => 'lax', Use SameSite=Lax for most sites. Use SameSite=Strict if cross-site links to your site don't need to carry the session.
Warnings (4)
What is this?
CAA (Certification Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
Why does it matter?
Without CAA records, any of the hundreds of trusted CAs worldwide can issue a certificate for your domain. A compromised or rogue CA could issue a fraudulent certificate for your domain, enabling MITM attacks. CAA limits this risk to your chosen CA(s).
How to fix it
Add CAA records to your DNS. Example for Let\'s Encrypt only: 0 issue "letsencrypt.org" For multiple CAs (e.g. Let\'s Encrypt + DigiCert): 0 issue "letsencrypt.org" 0 issue "digicert.com" To also allow wildcard certificates: 0 issuewild "letsencrypt.org" For email notifications on unauthorized issuance attempts: 0 iodef "mailto:security@yourdomain.com" Check current CAA records at: sslmate.com/caa
What is this?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that forces other mail servers to use encrypted TLS connections when delivering email to your domain. Without it, a network attacker could silently strip TLS from email in transit.
Why does it matter?
Email is delivered between servers using SMTP. By default, SMTP tries TLS but falls back to plaintext if TLS is not available — a downgrade attack. MTA-STS prevents this fallback, ensuring all email delivered to your domain is encrypted in transit.
How to fix it
Implementing MTA-STS requires two things: 1. A DNS TXT record at _mta-sts.yourdomain.com: v=STSv1; id=20240101001 2. A policy file hosted at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt Policy file content: version: STSv1 mode: enforce mx: mail.yourdomain.com max_age: 86400 Start with mode: testing to see reports before enforcing. Use mta-sts.io for a guided setup.
What is this?
Time To First Byte (TTFB) is the time between the browser sending a request and receiving the first byte of the response from the server. It reflects server processing time, not download speed.
Why does it matter?
A slow TTFB means the server takes too long to process each request — caused by slow database queries, no caching, or underpowered hosting. Google uses TTFB as a signal in Core Web Vitals. Pages with high TTFB feel slow even on fast connections.
How to fix it
Common fixes depending on the cause: 1. Enable server-side caching - WordPress: WP Super Cache, W3 Total Cache - Laravel: Response caching, OPcache - Nginx: FastCGI cache 2. Add a CDN (Content Delivery Network) - Cloudflare (free tier available) - Serves cached responses from edge servers close to the visitor 3. Optimise slow database queries - Enable query logging and identify N+1 problems - Add database indexes 4. Upgrade hosting - Shared hosting often has high TTFB under load - Consider a VPS or managed hosting like Laravel Forge + DigitalOcean Note: our measurement is taken from our server. Geographic distance adds latency — use a CDN to reduce this globally.
Get this report emailed to you
Create a free account to save your scan results, monitor your sites, and get alerted when your score drops.
Show visitors your security score with an embeddable badge. It updates automatically when you rescan.
<a href="https://webcheckapp.com/scan/80qKuGEMnWTvbEXe">
<img src="https://webcheckapp.com/scan/80qKuGEMnWTvbEXe/badge" alt="Security score: 82/100">
</a>