Security report for
bcnsports.nl
Scanned 1 week ago
Executive Summary
We performed a comprehensive security analysis of bcnsports.nl across 5 categories. The website received an overall score of 63/100 (grade C), with 3 critical issues, 5 warnings, and 15 passed checks.
Overall assessment: bcnsports.nl has significant security gaps that should be addressed as soon as possible. The current configuration leaves the website vulnerable to common attacks. We strongly recommend reviewing the critical issues listed in this report and implementing the recommended fixes without delay.
Top priority fixes:
Strong areas
Content & CMS
Performance & SEO
Needs improvement
SSL & HTTPS
Needs work
Security Headers
DNS & Email Security
Website Health Check
Simple overview for everyoneIs my website safe for visitors?
Not fully — your website is missing important security protections that keep visitors safe.
Can my website be found by Google?
Yes — your website is accessible to search engines and loads at a reasonable speed.
Is my email protected against spoofing?
Not fully — attackers could send fake emails pretending to be from your domain. This is used in phishing attacks.
Is my website leaking sensitive data?
No leaks detected — configuration files and sensitive data appear to be properly protected.
Does my website respect visitor privacy?
Yes — a privacy policy and cookie consent appear to be in place.
Fixed
This website is probably trustworthy
Security Database Checks
Domain has been registered for 8 months (since 08 Aug 2025).
Could not retrieve Quad9 classification for this domain.
DNSFilter has not flagged this domain — no known threats detected.
Domain is not listed in the APWG phishing and malware database.
Malware & Virus Scan
CleanWhat is this?
URLhaus is a database maintained by abuse.ch that tracks URLs and domains used to distribute malware — exploit kits, ransomware droppers, banking trojans, and other malicious software. It is one of the most comprehensive active malware distribution blocklists.
Why does it matter?
A listing in URLhaus means this domain has been observed actively distributing malware to visitors. This could mean your website has been hacked and is serving malicious files, or that your domain was registered specifically for malware distribution.
How to fix it
1. Scan your website files for malware: - Use a hosting panel malware scanner (cPanel/Imunify360) - Use Wordfence (WordPress) or a server-side scanner like ClamAV - Check recently modified files: find /var/www -newer /tmp/ref -type f 2. Check access logs for suspicious uploads or requests 3. Change all passwords (FTP, hosting, CMS admin, database) 4. Request removal from URLhaus: Visit urlhaus.abuse.ch and submit a takedown request once your site is clean
What is this?
Cloudflare's Security DNS (1.1.1.2) is a public DNS resolver that automatically blocks domains known to distribute malware, ransomware, and phishing content. When a DNS query returns NXDOMAIN (domain not found) from the security resolver but the domain resolves normally on regular DNS, the domain is being blocked.
Why does it matter?
Being blocked by Cloudflare's security resolver means the domain has been identified as harmful by Cloudflare's threat intelligence. This actively protects millions of internet users from visiting the site, and indicates the domain has been reported or detected as malicious.
How to fix it
If your site is incorrectly blocked: 1. Check if your site has been hacked and clean any malware 2. Submit a false positive report to Cloudflare via their security portal 3. Check other threat databases (VirusTotal, URLhaus) for listings If the block is justified: 1. Clean all malware from your server 2. Change all credentials 3. Request removal from Cloudflare's threat database
What is this?
Spamhaus ZEN is a combined IP blocklist maintained by The Spamhaus Project, one of the most authoritative anti-spam and anti-malware organizations. ZEN combines SBL (spam sources), XBL (compromised/infected machines), and CBL (botnet command & control).
Why does it matter?
An IP listed in the SBL or XBL zones indicates the server has been identified as sending spam, hosting malware, or being infected by a botnet. This can cause legitimate emails from the server to be rejected by mail providers worldwide.
How to fix it
1. Check which Spamhaus list the IP is on: Visit check.spamhaus.org and enter your IP 2. If listed in SBL (spam source): - Find and remove the software or account sending spam - Check for compromised email accounts - Submit a removal request at spamhaus.org 3. If listed in XBL (compromised machine): - Your server may have malware or be part of a botnet - Run a full malware scan - Check for unauthorized processes: ps aux - Consider rebuilding the server if compromise is confirmed
Advanced Security Checks
Detect open ports, exposed files, API vulnerabilities, TLS weaknesses, and subdomain takeover risks.
Privacy & GDPR
Analyze cookie consent, privacy policy presence, third-party trackers, and GDPR compliance signals.
Quality & Accessibility
Check accessibility compliance, robots.txt, branding, broken links, and carbon footprint.
Detected Technologies
Unlock the full security report
This Quick Scan covers 5 categories. Upgrade to Pro for OWASP Top 10 analysis, malware detection, exposed files, and 15 more scanners.
Full report
DNS & Email Security
45/100SPF record configured
SPF record found: "v=spf1 include:_spf.cloud86.nl a mx ip4:45.82.191.185 ~all".
DMARC record configured
DMARC found but policy is "none" — emails are monitored but not rejected. Value: "v=DMARC1; p=none; rua=mailto:postmaster@bcnsports.nl; ruf=mailto:postmaster@bcnsports.nl; fo=1; adkim=r; aspf=r".
Fix: Upgrade your DMARC policy from p=none to p=quarantine or p=reject to actively block spoofed emails.
CAA record configured
No CAA record found. Any Certificate Authority can issue SSL certs for your domain.
Fix: Add a CAA DNS record, e.g.: 0 issue "letsencrypt.org" to restrict SSL issuance.
DNSSEC
DNSSEC could not be confirmed via this check. Verify with your domain registrar.
Fix: Enable DNSSEC through your domain registrar to protect against DNS cache poisoning.
SSL & HTTPS
60/100HTTPS / SSL enabled
The website is accessible over HTTPS.
SSL certificate valid
Certificate expires soon: 2026-04-11 (15 days left).
Fix: Renew your SSL certificate before it expires.
HTTP redirects to HTTPS
HTTP traffic is permanently (301) redirected to HTTPS.
HSTS header configured
No Strict-Transport-Security (HSTS) header found.
Fix: Add: Strict-Transport-Security: max-age=31536000; includeSubDomains
Content & CMS
100/100No mixed content detected
No insecure HTTP resources (scripts, images, stylesheets) found in the page HTML.
CMS admin panel not publicly accessible
No publicly accessible CMS admin interface found at common paths.
CMS version not exposed
No CMS version information found in the page source.
Directory listing disabled
Directory listing is not enabled — files cannot be browsed directly.
Security Headers
44/100Server version not disclosed
The Server header does not expose version information.
Content-Security-Policy
No Content-Security-Policy header found.
Fix: Add a Content-Security-Policy header to restrict which resources the browser may load, preventing XSS attacks.
X-Frame-Options
X-Frame-Options: SAMEORIGIN — protects against clickjacking.
X-Content-Type-Options
X-Content-Type-Options: nosniff is set — prevents MIME-type sniffing.
Referrer-Policy
No Referrer-Policy header found.
Fix: Add Referrer-Policy: strict-origin-when-cross-origin to control how much referrer info is sent.
Permissions-Policy
No Permissions-Policy header found.
Fix: Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation.
X-XSS-Protection (deprecated)
X-XSS-Protection: 1; mode=block — Note: this header is deprecated and ignored by modern browsers. Rely on CSP instead.
Performance & SEO
100/100Fast server response time (TTFB)
Time To First Byte: 25 ms (measured from our scanner server) — excellent.
Response compression enabled
Compression is enabled (gzip) — reduces transfer size and speeds up page loads.
robots.txt present
A robots.txt file was found and is accessible.
XML sitemap present
An XML sitemap was found — helps search engines discover and index your pages.
Critical issues (3)
What is this?
HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only ever connect to your site over HTTPS — even if the user types http:// or clicks an http:// link. The browser enforces this locally for the duration of max-age.
Why does it matter?
Even with an HTTP redirect in place, the very first request could go over HTTP before being redirected. A network attacker could intercept that first request (SSL stripping attack). HSTS prevents this by making the browser upgrade to HTTPS before making any request.
How to fix it
Add this header to your HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Only add HSTS after you are certain your entire site works over HTTPS, including all subdomains if you use includeSubDomains.
What is this?
Content Security Policy (CSP) is a browser security feature that lets you control which resources (scripts, styles, images, fonts) a page is allowed to load, and from which origins.
Why does it matter?
CSP is one of the most effective defences against Cross-Site Scripting (XSS) attacks. Without CSP, an attacker who injects malicious JavaScript into your page can load resources from anywhere, steal session cookies, or redirect users.
How to fix it
Add a Content-Security-Policy header. Start with a report-only policy to detect issues without breaking anything: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; Once tested, switch to enforcing: Content-Security-Policy: default-src 'self'; ... CSP policies can be complex for sites with third-party scripts. Use https://csp-evaluator.withgoogle.com/ to evaluate your policy.
What is this?
The Referrer-Policy header controls how much information about the originating page is included in the Referer header when a user navigates away from your site or when resources are loaded.
Why does it matter?
Without a Referrer-Policy, the full URL of the current page (which may include session tokens, user IDs, or sensitive paths) is sent to external sites in the Referer header. This can leak private information to third-party analytics, CDN providers, or ad networks.
How to fix it
Recommended value: Referrer-Policy: strict-origin-when-cross-origin (sends origin only for cross-origin requests, full URL for same-origin) Nginx: add_header Referrer-Policy "strict-origin-when-cross-origin" always; Apache: Header always set Referrer-Policy "strict-origin-when-cross-origin" Alternatives: no-referrer (most private), same-origin (no cross-origin referrer).
Warnings (5)
What is this?
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to give domain owners control over what happens to emails that fail authentication checks.
Why does it matter?
SPF alone is not enough — DMARC adds a policy layer that tells receiving servers what to do with suspicious emails (monitor, quarantine, or reject). It also provides reporting so you can see who is sending email as your domain.
How to fix it
Add a TXT record to your DNS: Host: _dmarc (e.g. _dmarc.yourdomain.com) Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com Start with p=none to receive reports without affecting mail delivery: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com After analysing reports for a few weeks, upgrade to: p=quarantine → suspicious mail goes to spam p=reject → suspicious mail is blocked entirely Free DMARC report analysis: dmarcian.com, postmarkapp.com/dmarc.
What is this?
CAA (Certification Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
Why does it matter?
Without CAA records, any of the hundreds of trusted CAs worldwide can issue a certificate for your domain. A compromised or rogue CA could issue a fraudulent certificate for your domain, enabling MITM attacks. CAA limits this risk to your chosen CA(s).
How to fix it
Add CAA records to your DNS. Example for Let\'s Encrypt only: 0 issue "letsencrypt.org" For multiple CAs (e.g. Let\'s Encrypt + DigiCert): 0 issue "letsencrypt.org" 0 issue "digicert.com" To also allow wildcard certificates: 0 issuewild "letsencrypt.org" For email notifications on unauthorized issuance attempts: 0 iodef "mailto:security@yourdomain.com" Check current CAA records at: sslmate.com/caa
What is this?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and have not been tampered with.
Why does it matter?
Without DNSSEC, DNS responses can be forged (DNS cache poisoning / BGP hijacking), redirecting your visitors to a fake server without them knowing. DNSSEC ensures the DNS record they receive is the one you published.
How to fix it
DNSSEC must be enabled at both your DNS registrar and your DNS hosting provider: 1. Enable DNSSEC at your domain registrar (Namecheap, GoDaddy, TransIP, etc.) 2. Enable DNSSEC signing at your DNS host (Cloudflare enables this automatically) 3. The registrar publishes DS records pointing to your zone\'s key If you use Cloudflare: enable DNSSEC with one click in the DNS tab. Note: DNSSEC is difficult to set up incorrectly — misconfiguration can take your domain offline. Follow your registrar\'s guide carefully.
What is this?
An SSL/TLS certificate has an expiry date. Once expired, browsers show a full-page warning to visitors and refuse to connect without clicking through a security warning.
Why does it matter?
An expired certificate breaks trust immediately — visitors see a red warning screen and most will leave. Search engines may also de-index or lower the ranking of sites with certificate errors.
How to fix it
Renew your certificate before it expires. If you use Let's Encrypt, set up auto-renewal with certbot (sudo certbot renew --dry-run to test). Most hosting providers send expiry warnings by email. Set a calendar reminder at 30 and 7 days before expiry.
What is this?
Permissions-Policy (formerly Feature-Policy) lets you control which browser features and APIs your site is allowed to use, and whether third-party content embedded in iframes can access them.
Why does it matter?
Without this header, embedded third-party scripts or iframes could theoretically request access to the camera, microphone, geolocation, payment APIs, and more. Restricting these features reduces your attack surface.
How to fix it
Example header that disables features not needed for most sites: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() Nginx: add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; Apache: Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" Only disable features you genuinely don't use. Adding this header is a low-effort, high-value improvement.
Get this report emailed to you
Create a free account to save your scan results, monitor your sites, and get alerted when your score drops.
Show visitors your security score with an embeddable badge. It updates automatically when you rescan.
<a href="https://webcheckapp.com/scan/d4wd7JG4">
<img src="https://webcheckapp.com/scan/d4wd7JG4/badge" alt="Security score: 63/100">
</a>