Executive Summary
PDF PROWe performed a comprehensive security analysis of www.scc.com across 5 categories. The website received an overall score of 71/100 (grade B-), with 3 critical issues, 7 warnings, and 23 passed checks.
Overall assessment: www.scc.com has a reasonable security foundation but there is clear room for improvement. Several issues were identified that could expose the website or its users to unnecessary risk. We recommend addressing the critical issues first, followed by the warnings outlined below.
Top priority fixes:
Strong areas
SSL & HTTPS
Security Headers
Needs improvement
Content & CMS
Needs work
DNS & Email Security
Performance & SEO
Website Health Check
Simple overview for everyoneIs my website safe for visitors?
Yes — your website uses encryption and has security protections in place.
Can my website be found by Google?
Yes — your website is accessible to search engines and loads at a reasonable speed.
Is my email protected against spoofing?
Not fully — attackers could send fake emails pretending to be from your domain. This is used in phishing attacks.
Is my website leaking sensitive data?
No leaks detected — configuration files and sensitive data appear to be properly protected.
Does my website respect visitor privacy?
Yes — a privacy policy and cookie consent appear to be in place.
Fixed
New issues
Trust & WHOIS
See domain age, registrar, expiry date, server location, and reputation checks across security databases.
Malware & Reputation
Check if your site is flagged by malware databases, blacklists, and antivirus vendors worldwide.
Advanced Security Checks
Detect open ports, exposed files, API vulnerabilities, TLS weaknesses, and subdomain takeover risks.
Privacy & GDPR
Analyze cookie consent, privacy policy presence, third-party trackers, and GDPR compliance signals.
Quality & Accessibility
Check accessibility compliance, robots.txt, branding, broken links, and carbon footprint.
Unlock the full security report
This Quick Scan covers 5 categories. Upgrade to Pro for OWASP Top 10 analysis, malware detection, exposed files, and 15 more scanners.
Full report
DNS & Email Security
46/100SPF record configured
No SPF record found. Anyone can send emails pretending to be from your domain.
Fix: Add a TXT record to your DNS: v=spf1 include:yourmailprovider.com ~all
DMARC record configured
DMARC record found with policy "quarantine": "v=DMARC1; p=quarantine; sp=none; pct=100; rua=mailto:dmarc@scc.com; adkim=r; aspf=s".
CAA record configured
No CAA record found. Any Certificate Authority can issue SSL certs for your domain.
Fix: Add a CAA DNS record, e.g.: 0 issue "letsencrypt.org" to restrict SSL issuance.
DKIM record configured
DKIM record found (selector "selector1") — outgoing emails are cryptographically signed.
MTA-STS (email transport security)
No MTA-STS record found at _mta-sts.scc.com. Without it, email delivery to your domain could silently fall back to unencrypted connections.
Fix: Implement MTA-STS: add a TXT record at _mta-sts.scc.com with value "v=STSv1; id=YYYYMMDD01" and publish a policy file at https://mta-sts.scc.com/.well-known/mta-sts.txt
IPv6 support
No AAAA record found. The domain is IPv4-only.
Fix: Add an AAAA record to support IPv6. Most modern hosting providers and CDNs assign IPv6 addresses automatically.
BIMI record
BIMI record found — your brand logo can appear in supporting email clients (Gmail, Apple Mail, Yahoo) next to emails from your domain.
DNSSEC
DNSSEC could not be verified via this automated check (PHP DNS resolvers strip DNSSEC data). Check with your domain registrar or use dnsviz.net to verify.
SSL & HTTPS
85/100HTTPS / SSL enabled
The website is accessible over HTTPS.
SSL certificate valid
Certificate is valid and expires on 2026-09-08 (120 days left).
HTTP redirects to HTTPS
HTTP requests are not being redirected to HTTPS.
Fix: Configure a permanent (301) redirect from HTTP to HTTPS.
HSTS header configured
Strict-Transport-Security header found with max-age=63072000. includeSubDomains is set.
No weak cipher suites
Server does not accept known weak cipher suites (RC4, 3DES, EXPORT, NULL).
TLS 1.0 and 1.1 disabled
Server only accepts TLS 1.2 or higher. Deprecated TLS versions are not supported.
Content & CMS
79/100No mixed content detected
No insecure HTTP resources (scripts, images, stylesheets) found in the page HTML.
CMS admin panel not publicly accessible
No publicly accessible CMS admin interface found at common paths.
CMS version not exposed
WordPress detected. Version "6.9.4" is exposed in the page source, which helps attackers target known vulnerabilities.
Fix: Remove the generator meta tag and strip ?ver= parameters from script/style URLs.
WordPress XML-RPC disabled
WordPress XML-RPC endpoint is not publicly accessible.
WordPress user enumeration blocked
WordPress REST API user endpoint is not publicly accessible.
Subresource Integrity (SRI)
4 of 4 external script(s)/stylesheet(s) load without an integrity= hash. If the CDN is compromised, malicious code could be silently injected into your pages.
Fix: Add integrity= and crossorigin= attributes to external <script> and <link> tags. Generate hashes at https://www.srihash.org/
No open redirect
No open redirect detected via common redirect parameters.
Directory listing disabled
Directory listing is not enabled — files cannot be browsed directly.
Security Headers
80/100Server version not disclosed
The Server header does not expose version information.
Content-Security-Policy
No Content-Security-Policy header found.
Fix: Add a Content-Security-Policy header to restrict which resources the browser may load, preventing XSS attacks.
X-Frame-Options
X-Frame-Options: SAMEORIGIN — protects against clickjacking.
X-Content-Type-Options
X-Content-Type-Options: nosniff is set — prevents MIME-type sniffing.
Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy
Permissions-Policy header found — browser feature access is restricted.
Cookie security flags
All cookies are set with HttpOnly, Secure, and SameSite flags.
Cross-Origin-Opener-Policy
No Cross-Origin-Opener-Policy (COOP) header found. Note: COOP can break popup-based flows (payments, OAuth) and browser back/forward cache.
Fix: Consider adding Cross-Origin-Opener-Policy: same-origin if your site does not use cross-origin popups.
Cross-Origin-Embedder-Policy
No Cross-Origin-Embedder-Policy (COEP) header found. Note: COEP breaks external embeds (YouTube, maps, ads) that don't send CORP headers.
Fix: Consider adding Cross-Origin-Embedder-Policy: require-corp only if your site does not embed third-party content.
X-XSS-Protection (deprecated)
X-XSS-Protection: 1; mode=block — Note: this header is deprecated and ignored by modern browsers. Rely on CSP instead.
Performance & SEO
50/100Fast server response time (TTFB)
Time To First Byte: 44 ms (measured from our scanner server) — excellent.
Response compression enabled
Compression is enabled (br) — reduces transfer size and speeds up page loads.
robots.txt present
No robots.txt file found.
Fix: Create a robots.txt file to guide search engine crawlers and prevent indexing of sensitive paths.
XML sitemap present
No sitemap.xml found at common locations (/sitemap.xml, /sitemap_index.xml).
Fix: Create and submit an XML sitemap to Google Search Console to improve search indexing.
security.txt present
No security.txt file found at /.well-known/security.txt or /security.txt.
Fix: Create a security.txt file (RFC 9116) at /.well-known/security.txt to provide security researchers with a responsible disclosure contact.
Critical issues (3)
What is this?
Sender Policy Framework (SPF) is a DNS TXT record that specifies which mail servers are authorised to send email on behalf of your domain.
Why does it matter?
Without SPF, anyone can send emails that appear to come from your domain (email spoofing). This is used in phishing attacks to impersonate your business. SPF tells receiving mail servers which IPs are legitimate senders.
How to fix it
Add a TXT record to your domain\'s DNS: Host: @ (apex domain) Value: v=spf1 include:_spf.yourmailprovider.com ~all Examples: Google Workspace: v=spf1 include:_spf.google.com ~all Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all Mailchimp: v=spf1 include:servers.mcsv.net ~all Use ~all (softfail) to start, upgrade to -all (hard fail) once you're confident all sending sources are listed. Never use +all.
What is this?
An HTTP to HTTPS redirect automatically sends visitors who type http:// (or click an old link) to the secure https:// version of your site.
Why does it matter?
If HTTP is not redirected, some visitors may unknowingly browse your site without encryption. It also causes duplicate content issues for SEO since the same page exists on both http:// and https://.
How to fix it
Add a 301 redirect in your server config: Nginx: return 301 https://$host$request_uri; Apache: Redirect permanent / https://yourdomain.com/ Or in .htaccess: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
What is this?
Content Security Policy (CSP) is a browser security feature that lets you control which resources (scripts, styles, images, fonts) a page is allowed to load, and from which origins.
Why does it matter?
CSP is one of the most effective defences against Cross-Site Scripting (XSS) attacks. Without CSP, an attacker who injects malicious JavaScript into your page can load resources from anywhere, steal session cookies, or redirect users.
How to fix it
Add a Content-Security-Policy header. Start with a report-only policy to detect issues without breaking anything: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; Once tested, switch to enforcing: Content-Security-Policy: default-src 'self'; ... CSP policies can be complex for sites with third-party scripts. Use https://csp-evaluator.withgoogle.com/ to evaluate your policy.
Warnings (7)
What is this?
CAA (Certification Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
Why does it matter?
Without CAA records, any of the hundreds of trusted CAs worldwide can issue a certificate for your domain. A compromised or rogue CA could issue a fraudulent certificate for your domain, enabling MITM attacks. CAA limits this risk to your chosen CA(s).
How to fix it
Add CAA records to your DNS. Example for Let\'s Encrypt only: 0 issue "letsencrypt.org" For multiple CAs (e.g. Let\'s Encrypt + DigiCert): 0 issue "letsencrypt.org" 0 issue "digicert.com" To also allow wildcard certificates: 0 issuewild "letsencrypt.org" For email notifications on unauthorized issuance attempts: 0 iodef "mailto:security@yourdomain.com" Check current CAA records at: sslmate.com/caa
What is this?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that forces other mail servers to use encrypted TLS connections when delivering email to your domain. Without it, a network attacker could silently strip TLS from email in transit.
Why does it matter?
Email is delivered between servers using SMTP. By default, SMTP tries TLS but falls back to plaintext if TLS is not available — a downgrade attack. MTA-STS prevents this fallback, ensuring all email delivered to your domain is encrypted in transit.
How to fix it
Implementing MTA-STS requires two things: 1. A DNS TXT record at _mta-sts.yourdomain.com: v=STSv1; id=20240101001 2. A policy file hosted at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt Policy file content: version: STSv1 mode: enforce mx: mail.yourdomain.com max_age: 86400 Start with mode: testing to see reports before enforcing. Use mta-sts.io for a guided setup.
What is this?
The WordPress version number is visible in the HTML source — either in the generator meta tag (<meta name="generator" content="WordPress 6.2">) or in script/style URLs as ?ver=6.2.
Why does it matter?
Knowing the exact WordPress version allows attackers to look up known CVEs (Common Vulnerabilities and Exposures) for that version and target known exploits. Version disclosure is an information leak that makes targeted attacks easier.
How to fix it
Remove the generator meta tag by adding to functions.php: remove_action('wp_head', 'wp_generator'); Remove ?ver= query strings from URLs: function remove_version_strings($src) { if (strpos($src, '?ver=') !== false) { $src = remove_query_arg('ver', $src); } return $src; } add_filter('style_loader_src', 'remove_version_strings'); add_filter('script_loader_src', 'remove_version_strings'); Alternatively use a security plugin like Wordfence or iThemes Security which does this automatically.
What is this?
Subresource Integrity (SRI) is a browser security feature that lets you specify a cryptographic hash for external scripts and stylesheets. The browser refuses to execute the resource if its content does not match the hash.
Why does it matter?
If a CDN you rely on is compromised (a real and recurring attack vector), an attacker can replace your JavaScript library with malicious code that steals user data, injects cryptomining scripts, or performs other attacks. SRI prevents this by making the browser verify the file has not been altered.
How to fix it
Add integrity= and crossorigin= attributes to your external resources: <script src="https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js" integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo=" crossorigin="anonymous" ></script> Generate hashes for any URL at: https://www.srihash.org/ For build tools, use webpack-subresource-integrity or vite-plugin-sri to add hashes automatically during builds.
What is this?
robots.txt is a plain text file at the root of your website that tells search engine crawlers which pages they are and aren't allowed to index.
Why does it matter?
Without a robots.txt, crawlers may index admin panels, staging areas, duplicate content, or other pages that should not appear in search results. A well-configured robots.txt also prevents crawl budget waste on unimportant pages.
How to fix it
Create a file at https://yourdomain.com/robots.txt with at minimum: User-agent: * Disallow: Sitemap: https://yourdomain.com/sitemap.xml To block specific paths: User-agent: * Disallow: /admin/ Disallow: /private/ Allow: / WordPress: generated automatically. Check Settings > Reading. Laravel: create public/robots.txt manually.
What is this?
An XML sitemap is a file that lists all the important URLs on your website, helping search engines discover and index your pages more efficiently.
Why does it matter?
Search engines may miss pages that are not linked from anywhere (orphan pages) or pages deep in your site structure. A sitemap ensures they are found and indexed. It also allows you to signal content priority and update frequency.
How to fix it
Create an XML sitemap at https://yourdomain.com/sitemap.xml WordPress: install Yoast SEO or use the built-in sitemap at /wp-sitemap.xml Laravel: use spatie/laravel-sitemap package Static sites: generate with a sitemap generator tool After creating your sitemap, submit it to: - Google Search Console: search.google.com/search-console - Bing Webmaster Tools: bing.com/webmasters Also reference it in your robots.txt: Sitemap: https://yourdomain.com/sitemap.xml
Get this report emailed to you
Create a free account to save your scan results, monitor your sites, and get alerted when your score drops.
Show visitors your security score with an embeddable badge. It updates automatically when you rescan.
<a href="https://webcheckapp.com/scan/AuNvMzPK16ompnD0">
<img src="https://webcheckapp.com/scan/AuNvMzPK16ompnD0/badge" alt="Security score: 71/100">
</a>