Security report for
tresorit.com
Scanned 2 hours ago
Executive Summary
We performed a comprehensive security analysis of tresorit.com across 5 categories. The website received an overall score of 88/100 (grade A-), with 1 critical issue, 6 warnings, and 26 passed checks.
Overall assessment: tresorit.com demonstrates a strong security posture. The website follows most security best practices and is well-configured. Minor improvements are possible but no urgent issues were found. Continue monitoring regularly to maintain this level of security.
Top priority fixes:
Strong areas
DNS & Email Security
SSL & HTTPS
Content & CMS
Performance & SEO
Needs improvement
Security Headers
Website Health Check
Simple overview for everyoneIs my website safe for visitors?
Yes — your website uses encryption and has security protections in place.
Can my website be found by Google?
Yes — your website is accessible to search engines and loads at a reasonable speed.
Is my email protected against spoofing?
Yes — your domain has email authentication records (SPF/DMARC) that prevent others from sending fake emails on your behalf.
Is my website leaking sensitive data?
No leaks detected — configuration files and sensitive data appear to be properly protected.
Does my website respect visitor privacy?
Yes — a privacy policy and cookie consent appear to be in place.
Trust & WHOIS
See domain age, registrar, expiry date, server location, and reputation checks across security databases.
Malware & Reputation
Check if your site is flagged by malware databases, blacklists, and antivirus vendors worldwide.
Advanced Security Checks
Detect open ports, exposed files, API vulnerabilities, TLS weaknesses, and subdomain takeover risks.
Privacy & GDPR
Analyze cookie consent, privacy policy presence, third-party trackers, and GDPR compliance signals.
Quality & Accessibility
Check accessibility compliance, robots.txt, branding, broken links, and carbon footprint.
Unlock the full security report
This Quick Scan covers 5 categories. Upgrade to Pro for OWASP Top 10 analysis, malware detection, exposed files, and 15 more scanners.
Full report
DNS & Email Security
100/100SPF record configured
SPF record found: "v=spf1 ip4:208.117.59.96 include:spf.protection.outlook.com include:mktomail.com include:mail.zendesk.com include:aspmx.pardot.com include:_spf.salesforce.com -all".
DMARC record configured
DMARC record found with policy "reject": "v=DMARC1; p=reject; pct=100; rua=mailto:re+f8swkyaekbg@dmarc.postmarkapp.com,mailto:dmarc@tresorit.com; ruf=mailto:dmarc@tresorit.com; aspf=r; adkim=r; fo=1".
CAA record configured
CAA record found — only authorized Certificate Authorities can issue SSL certificates for this domain.
DKIM record configured
DKIM record found (selector "selector1") — outgoing emails are cryptographically signed.
MTA-STS (email transport security)
No MTA-STS record found at _mta-sts.tresorit.com. Without it, email delivery to your domain could silently fall back to unencrypted connections.
Fix: Implement MTA-STS: add a TXT record at _mta-sts.tresorit.com with value "v=STSv1; id=YYYYMMDD01" and publish a policy file at https://mta-sts.tresorit.com/.well-known/mta-sts.txt
IPv6 support
No AAAA record found. The domain is IPv4-only.
Fix: Add an AAAA record to support IPv6. Most modern hosting providers and CDNs assign IPv6 addresses automatically.
BIMI record
No BIMI record found. BIMI lets your brand logo appear in email clients that support it — a trust and branding signal for recipients.
Fix: BIMI requires DMARC with p=quarantine or p=reject. Then add a TXT record at default._bimi.tresorit.com: v=BIMI1; l=https://yourdomain.com/logo.svg
DNSSEC
DNSSEC could not be confirmed via this check. Verify with your domain registrar.
Fix: Enable DNSSEC through your domain registrar to protect against DNS cache poisoning.
SSL & HTTPS
88/100HTTPS / SSL enabled
The website is accessible over HTTPS.
SSL certificate valid
Certificate is valid and expires on 2026-10-07 (187 days left).
HTTP redirects to HTTPS
HTTP traffic is permanently (301) redirected to HTTPS.
HSTS header configured
Strict-Transport-Security header found with max-age=31536000. includeSubDomains is set.
No weak cipher suites
Server accepts weak cipher suite(s): RC4, 3DES, EXPORT, NULL. These ciphers have known cryptographic weaknesses.
Fix: Restrict your cipher list in your server config: Nginx: ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!3DES:!RC4; Apache: SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!RC4 Then reload your server.
TLS 1.0 and 1.1 disabled
Server only accepts TLS 1.2 or higher. Deprecated TLS versions are not supported.
Content & CMS
100/100No mixed content detected
No insecure HTTP resources (scripts, images, stylesheets) found in the page HTML.
CMS admin panel not publicly accessible
No publicly accessible CMS admin interface found at common paths.
CMS version not exposed
No CMS version information found in the page source.
Subresource Integrity (SRI)
All 6 external script(s)/stylesheet(s) include an integrity hash.
No open redirect
No open redirect detected via common redirect parameters.
Directory listing disabled
Directory listing is not enabled — files cannot be browsed directly.
Security Headers
68/100Server version not disclosed
The Server header does not expose version information.
Content-Security-Policy
CSP header enforced: (policy is set)
X-Frame-Options
X-Frame-Options: SAMEORIGIN — protects against clickjacking.
X-Content-Type-Options
X-Content-Type-Options: nosniff is set — prevents MIME-type sniffing.
Referrer-Policy
Referrer-Policy: same-origin
Permissions-Policy
No Permissions-Policy header found.
Fix: Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation.
Cross-Origin-Opener-Policy
No Cross-Origin-Opener-Policy (COOP) header found.
Fix: Add Cross-Origin-Opener-Policy: same-origin to isolate your browsing context and protect against cross-origin attacks and Spectre-like vulnerabilities.
Cross-Origin-Embedder-Policy
No Cross-Origin-Embedder-Policy (COEP) header found.
Fix: Add Cross-Origin-Embedder-Policy: require-corp to enable advanced browser isolation features (required for SharedArrayBuffer and high-resolution timers).
X-XSS-Protection (deprecated)
X-XSS-Protection: 1; mode=block — Note: this header is deprecated and ignored by modern browsers. Rely on CSP instead.
CORS policy
Cross-origin access is restricted to: https://tresorit.com/
Performance & SEO
100/100Fast server response time (TTFB)
Time To First Byte: 31 ms (measured from our scanner server) — excellent.
Response compression enabled
Compression is enabled (br) — reduces transfer size and speeds up page loads.
robots.txt present
A robots.txt file was found and is accessible.
XML sitemap present
An XML sitemap was found — helps search engines discover and index your pages.
security.txt present
No security.txt file found at /.well-known/security.txt or /security.txt.
Fix: Create a security.txt file (RFC 9116) at /.well-known/security.txt to provide security researchers with a responsible disclosure contact.
Critical issues (1)
Warnings (6)
What is this?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that forces other mail servers to use encrypted TLS connections when delivering email to your domain. Without it, a network attacker could silently strip TLS from email in transit.
Why does it matter?
Email is delivered between servers using SMTP. By default, SMTP tries TLS but falls back to plaintext if TLS is not available — a downgrade attack. MTA-STS prevents this fallback, ensuring all email delivered to your domain is encrypted in transit.
How to fix it
Implementing MTA-STS requires two things: 1. A DNS TXT record at _mta-sts.yourdomain.com: v=STSv1; id=20240101001 2. A policy file hosted at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt Policy file content: version: STSv1 mode: enforce mx: mail.yourdomain.com max_age: 86400 Start with mode: testing to see reports before enforcing. Use mta-sts.io for a guided setup.
What is this?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and have not been tampered with.
Why does it matter?
Without DNSSEC, DNS responses can be forged (DNS cache poisoning / BGP hijacking), redirecting your visitors to a fake server without them knowing. DNSSEC ensures the DNS record they receive is the one you published.
How to fix it
DNSSEC must be enabled at both your DNS registrar and your DNS hosting provider: 1. Enable DNSSEC at your domain registrar (Namecheap, GoDaddy, TransIP, etc.) 2. Enable DNSSEC signing at your DNS host (Cloudflare enables this automatically) 3. The registrar publishes DS records pointing to your zone\'s key If you use Cloudflare: enable DNSSEC with one click in the DNS tab. Note: DNSSEC is difficult to set up incorrectly — misconfiguration can take your domain offline. Follow your registrar\'s guide carefully.
What is this?
Permissions-Policy (formerly Feature-Policy) lets you control which browser features and APIs your site is allowed to use, and whether third-party content embedded in iframes can access them.
Why does it matter?
Without this header, embedded third-party scripts or iframes could theoretically request access to the camera, microphone, geolocation, payment APIs, and more. Restricting these features reduces your attack surface.
How to fix it
Example header that disables features not needed for most sites: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() Nginx: add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; Apache: Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" Only disable features you genuinely don't use. Adding this header is a low-effort, high-value improvement.
Get this report emailed to you
Create a free account to save your scan results, monitor your sites, and get alerted when your score drops.
Show visitors your security score with an embeddable badge. It updates automatically when you rescan.
<a href="https://webcheckapp.com/scan/QnQ0LMhN0EBnJECT">
<img src="https://webcheckapp.com/scan/QnQ0LMhN0EBnJECT/badge" alt="Security score: 88/100">
</a>