Security report for
alturnanetworks.nl
Scanned 2 days ago
Executive Summary
We performed a comprehensive security analysis of alturnanetworks.nl across 12 categories. The website received an overall score of 37/100 (grade F), with 15 critical issues, 23 warnings, and 29 passed checks.
Overall assessment: alturnanetworks.nl has serious security deficiencies across multiple areas. The website is at high risk of exploitation. Immediate action is required to protect the website and its users. We urge you to address the critical issues as a top priority.
Top priority fixes:
Strong areas
TLS / Cipher
Content & CMS
API Security
Exposed Files
Subdomain Takeover
Needs work
DNS & Email Security
Robots & Sitemap
Branding & Social
Performance & SEO
Security Headers
Website Health Check
Simple overview for everyoneIs my website safe for visitors?
Not fully — your website is missing important security protections that keep visitors safe.
Can my website be found by Google?
There are issues — search engines may have trouble finding or ranking your website properly.
Is my email protected against spoofing?
Not fully — attackers could send fake emails pretending to be from your domain. This is used in phishing attacks.
Is my website leaking sensitive data?
No leaks detected — configuration files and sensitive data appear to be properly protected.
Does my website respect visitor privacy?
Yes — a privacy policy and cookie consent appear to be in place.
This website is probably trustworthy
Domain Registration (WHOIS)
Security Database Checks
Domain has been registered for 19.6 years (since 11 Aug 2006).
Could not retrieve Quad9 classification for this domain.
DNSFilter has not flagged this domain — no known threats detected.
Domain is not listed in the APWG phishing and malware database.
Malware & Virus Scan
CleanWhat is this?
URLhaus is a database maintained by abuse.ch that tracks URLs and domains used to distribute malware — exploit kits, ransomware droppers, banking trojans, and other malicious software. It is one of the most comprehensive active malware distribution blocklists.
Why does it matter?
A listing in URLhaus means this domain has been observed actively distributing malware to visitors. This could mean your website has been hacked and is serving malicious files, or that your domain was registered specifically for malware distribution.
How to fix it
1. Scan your website files for malware: - Use a hosting panel malware scanner (cPanel/Imunify360) - Use Wordfence (WordPress) or a server-side scanner like ClamAV - Check recently modified files: find /var/www -newer /tmp/ref -type f 2. Check access logs for suspicious uploads or requests 3. Change all passwords (FTP, hosting, CMS admin, database) 4. Request removal from URLhaus: Visit urlhaus.abuse.ch and submit a takedown request once your site is clean
What is this?
Cloudflare's Security DNS (1.1.1.2) is a public DNS resolver that automatically blocks domains known to distribute malware, ransomware, and phishing content. When a DNS query returns NXDOMAIN (domain not found) from the security resolver but the domain resolves normally on regular DNS, the domain is being blocked.
Why does it matter?
Being blocked by Cloudflare's security resolver means the domain has been identified as harmful by Cloudflare's threat intelligence. This actively protects millions of internet users from visiting the site, and indicates the domain has been reported or detected as malicious.
How to fix it
If your site is incorrectly blocked: 1. Check if your site has been hacked and clean any malware 2. Submit a false positive report to Cloudflare via their security portal 3. Check other threat databases (VirusTotal, URLhaus) for listings If the block is justified: 1. Clean all malware from your server 2. Change all credentials 3. Request removal from Cloudflare's threat database
What is this?
Spamhaus ZEN is a combined IP blocklist maintained by The Spamhaus Project, one of the most authoritative anti-spam and anti-malware organizations. ZEN combines SBL (spam sources), XBL (compromised/infected machines), and CBL (botnet command & control).
Why does it matter?
An IP listed in the SBL or XBL zones indicates the server has been identified as sending spam, hosting malware, or being infected by a botnet. This can cause legitimate emails from the server to be rejected by mail providers worldwide.
How to fix it
1. Check which Spamhaus list the IP is on: Visit check.spamhaus.org and enter your IP 2. If listed in SBL (spam source): - Find and remove the software or account sending spam - Check for compromised email accounts - Submit a removal request at spamhaus.org 3. If listed in XBL (compromised machine): - Your server may have malware or be part of a botnet - Run a full malware scan - Check for unauthorized processes: ps aux - Consider rebuilding the server if compromise is confirmed
Open Ports
No dangerous ports exposedWhat is this?
Port 21 is used by FTP (File Transfer Protocol), which lets you upload and download files to your server. FTP was designed in the early internet era before encryption existed.
Why does it matter?
FTP sends your username, password, and all transferred files in complete plaintext over the network. Anyone intercepting the connection — on the same network or via a man-in-the-middle attack — can read your credentials and every file you transfer.
How to fix it
Disable FTP and switch to SFTP (SSH File Transfer Protocol), which uses the same SSH encryption as terminal access: For FileZilla: connect using protocol SFTP and your SSH credentials. To disable pure FTP (Ubuntu): sudo systemctl stop vsftpd sudo systemctl disable vsftpd If FTP is absolutely required, use FTPS (FTP over TLS) instead of plain FTP.
What is this?
Port 22 is used by SSH (Secure Shell), the standard encrypted protocol for remote server access. It lets administrators log in to the server and run commands remotely.
Why does it matter?
SSH itself is secure, but an open SSH port is a constant target for brute-force attacks — bots continuously try thousands of username/password combinations. If password authentication is enabled, a weak password can lead to full server compromise.
How to fix it
Disable password authentication and use SSH keys only: Edit /etc/ssh/sshd_config: PasswordAuthentication no PubkeyAuthentication yes Then restart SSH: sudo systemctl restart sshd Optional: move SSH to a non-standard port (e.g. 2222) to reduce bot noise: Port 2222 Optional: use fail2ban to automatically block IPs with too many failed attempts: sudo apt install fail2ban
What is this?
Port 23 is used by Telnet, a very old remote access protocol from the 1960s. Like FTP, it was designed before encryption existed.
Why does it matter?
Telnet transmits everything — including your login credentials and every command you run — in complete plaintext. Anyone intercepting the connection sees exactly what you type. There is no situation where Telnet is preferable over SSH on a modern server.
How to fix it
Disable and remove Telnet: sudo systemctl stop telnet sudo systemctl disable telnet sudo apt remove telnetd # Ubuntu/Debian If port 23 is still open after removing Telnet, check what process is using it: sudo ss -tlnp | grep :23 Use SSH for all remote access. SSH provides the same functionality with full encryption.
What is this?
Port 3306 is the default port for MySQL (and MariaDB), the database server that stores your website's content, user accounts, orders, and all other data.
Why does it matter?
Exposing the MySQL port to the internet allows attackers to directly attempt to log in to your database using brute force or stolen credentials. If they succeed, they have full access to all your data without needing to compromise the website itself.
How to fix it
Block the port with a firewall (UFW on Ubuntu): sudo ufw deny 3306/tcp Or restrict to only your app server IP: sudo ufw allow from YOUR_APP_IP to any port 3306 Also bind MySQL to localhost in /etc/mysql/mysql.conf.d/mysqld.cnf: bind-address = 127.0.0.1 Then restart MySQL: sudo systemctl restart mysql For remote DB management, use an SSH tunnel instead: ssh -L 3306:127.0.0.1:3306 user@yourserver
What is this?
Port 5432 is the default port for PostgreSQL, an advanced open-source relational database. Like MySQL, it stores all application data.
Why does it matter?
A publicly reachable PostgreSQL port exposes the database directly to brute-force attacks. PostgreSQL also has a history of being exploited when authentication is misconfigured (e.g. trust authentication).
How to fix it
Block with UFW: sudo ufw deny 5432/tcp Bind PostgreSQL to localhost in /etc/postgresql/*/main/postgresql.conf: listen_addresses = 'localhost' Restart PostgreSQL: sudo systemctl restart postgresql For remote access, use an SSH tunnel: ssh -L 5432:127.0.0.1:5432 user@yourserver
What is this?
Port 6379 is the default port for Redis, an in-memory data store commonly used for caching, session storage, and queues. Redis has no authentication by default.
Why does it matter?
An exposed Redis instance is one of the most dangerous vulnerabilities a server can have. Attackers can read all cached data (including user sessions), write arbitrary data, use Redis's replication feature to write SSH keys to the server and gain root access, or abuse it for DDoS amplification.
How to fix it
Block with UFW immediately: sudo ufw deny 6379/tcp Bind Redis to localhost in /etc/redis/redis.conf: bind 127.0.0.1 Enable a strong password: requirepass YourStrongPasswordHere Restart Redis: sudo systemctl restart redis If Redis must be reachable from another server, use an SSH tunnel or VPN — never expose it directly.
What is this?
Port 27017 is the default port for MongoDB, a NoSQL document database. MongoDB stores data as JSON-like documents and is popular for modern web applications.
Why does it matter?
Hundreds of thousands of MongoDB databases have been wiped by automated attacks — attackers delete all data and leave a ransom note demanding Bitcoin. This happened because many MongoDB installations were publicly accessible with no authentication enabled.
How to fix it
Block with UFW: sudo ufw deny 27017/tcp Bind to localhost in /etc/mongod.conf: net: bindIp: 127.0.0.1 Enable authentication: security: authorization: enabled Restart MongoDB: sudo systemctl restart mongod
What is this?
Port 9200 is the default HTTP API port for Elasticsearch, a search and analytics engine. It provides a full REST API for querying and managing data.
Why does it matter?
Elasticsearch has no authentication by default. An exposed port gives anyone full read/write access to all indexed data via simple HTTP requests. Exposed Elasticsearch has caused massive data breaches affecting billions of records (medical data, voter records, financial data).
How to fix it
Block with UFW: sudo ufw deny 9200/tcp sudo ufw deny 9300/tcp # cluster port Bind to localhost in elasticsearch.yml: network.host: 127.0.0.1 If using Elastic Cloud or a paid licence, enable X-Pack security: xpack.security.enabled: true Restart Elasticsearch: sudo systemctl restart elasticsearch
What is this?
Port 11211 is the default port for Memcached, an in-memory caching system used to speed up web applications by storing frequently accessed data.
Why does it matter?
Memcached has no authentication. An exposed instance lets anyone read or manipulate your cache. It is also heavily abused for DDoS amplification attacks — attackers send small spoofed requests to Memcached which generates much larger responses, overwhelming the victim.
How to fix it
Block with UFW: sudo ufw deny 11211/tcp Bind to localhost when starting Memcached (in /etc/memcached.conf): -l 127.0.0.1 Restart Memcached: sudo systemctl restart memcached
What is this?
Port 25 is used by SMTP (Simple Mail Transfer Protocol), the standard protocol for sending email between mail servers. It is expected to be open on dedicated mail servers.
Why does it matter?
If this server is not a mail server, an open SMTP port may indicate an unauthorised mail relay or spam-sending software. Open relays — SMTP servers that accept and forward email from anyone — are exploited by spammers to send bulk email through your server, leading to IP blacklisting.
How to fix it
If this server does not send email: sudo ufw deny 25/tcp If this server runs a mail server (Postfix, Exim, Sendmail): 1. Verify it is not configured as an open relay: telnet localhost 25 EHLO test MAIL FROM: test@external.com RCPT TO: test@another-external.com (should be rejected) 2. Keep your MTA updated and monitor /var/log/mail.log for unusual sending patterns.
What is this?
Port 2375 is the Docker daemon's unencrypted TCP API port. When enabled, it allows remote control of all Docker containers on the server without any authentication.
Why does it matter?
Access to the Docker API without TLS is equivalent to root access to the entire server. An attacker can create a privileged container that mounts the host filesystem, read and modify any file on the server, install backdoors, exfiltrate all data, or pivot to other systems on the network. This is one of the most critical misconfigurations possible.
How to fix it
Close port 2375 immediately: sudo ufw deny 2375/tcp Do NOT expose the Docker daemon over TCP without mutual TLS. Use the Unix socket instead for local access: /var/run/docker.sock If remote Docker API access is needed, use SSH tunneling: ssh -L 2375:localhost:2375 user@server Or configure Docker with TLS client certificates (docker --tlsverify). Check if it was intentionally opened: sudo systemctl cat docker | grep -i tcp
What is this?
Port 8080 is a common alternative HTTP port, often used for development servers, admin panels, reverse proxies (Nginx/Apache behind an app server), or Java application servers like Tomcat.
Why does it matter?
An open port 8080 may expose an admin interface, development build, or staging server that was not intended to be publicly accessible. Development environments often have weaker security settings, disabled authentication, or verbose error messages that reveal internal architecture.
How to fix it
Identify what is running on port 8080: sudo ss -tlnp | grep :8080 If it is a development server or admin panel, restrict access to trusted IPs: sudo ufw allow from YOUR_IP to any port 8080 sudo ufw deny 8080/tcp If it is a legitimate proxy or app server, ensure it has authentication enabled and is not exposing internal diagnostic pages.
What is this?
Port 8443 is a common alternative HTTPS port. It is frequently used for admin panels, development environments, application servers, or services that cannot use the standard port 443.
Why does it matter?
Like port 8080, an open 8443 may expose admin interfaces or staging environments. Even with HTTPS, a self-signed certificate or misconfigured service on this port can be a security concern if it provides access to sensitive functionality without proper authentication.
How to fix it
Identify what is running on port 8443: sudo ss -tlnp | grep :8443 If it is an admin panel or dev interface, restrict to trusted IPs: sudo ufw allow from YOUR_IP to any port 8443 sudo ufw deny 8443/tcp Ensure any service on this port uses a valid SSL certificate and has proper authentication enabled.
Privacy & GDPR
What is this?
A cookie consent banner is a notice that informs visitors about cookie usage and asks for their consent before non-essential cookies (analytics, marketing, advertising) are set. Under GDPR (EU), PECR (UK), and similar laws, this consent must be freely given, specific, and informed.
Why does it matter?
The GDPR (General Data Protection Regulation) requires explicit consent before setting non-essential cookies. Violations can result in fines of up to €20 million or 4% of global annual turnover. Beyond legal requirements, it builds user trust and demonstrates transparency.
How to fix it
Use a consent management platform (CMP): Free options: - CookieYes (cookieyes.com) — free tier available - Osano (osano.com) — free for small sites - Cookie Consent by Osano (open source) Premium/advanced: - Cookiebot - OneTrust - Usercentrics For WordPress: install a GDPR consent plugin (e.g. Complianz, CookieYes plugin) Ensure your banner: - Does NOT pre-tick consent boxes - Makes 'Reject all' as easy as 'Accept all' - Lists exactly which cookies are used and why
What is this?
A privacy policy is a legal document that explains what personal data you collect from users, why you collect it, how it is used, who it is shared with, and how users can request deletion or access to their data.
Why does it matter?
A privacy policy is legally required in most jurisdictions: GDPR (EU/EEA), CCPA (California), LGPD (Brazil), PIPEDA (Canada), and more. Without one, you risk regulatory fines, loss of payment processor accounts (Stripe/PayPal require it), removal from ad platforms, and loss of user trust.
How to fix it
Create a privacy policy and link to it in your footer. Free generators: - TermsFeed (termsfeed.com) - Iubenda (iubenda.com) — free tier - GetTerms (getterms.io) Your policy must cover: 1. What data you collect (name, email, IP, cookies, etc.) 2. Why you collect it (legal basis under GDPR) 3. Who you share it with (hosting, analytics, payment processors) 4. How long you keep it 5. User rights (access, deletion, portability) 6. Contact information for a data protection officer or contact Update it whenever you add new services or change data practices.
What is this?
Tracking scripts are third-party JavaScript snippets embedded in your website that collect data about visitor behaviour — pages visited, time spent, clicks, demographics, purchases, and more. Common examples are Google Analytics, Meta Pixel (Facebook), and Hotjar.
Why does it matter?
Under GDPR, tracking scripts that process personal data (IP addresses, device fingerprints, cookies) require a legal basis — usually explicit consent. Loading tracking scripts before consent is obtained is a GDPR violation. Data Protection Authorities across Europe have issued fines specifically for this.
How to fix it
Only load tracking scripts after the user has given consent: 1. Use a tag manager (Google Tag Manager) that is controlled by your consent platform — the CMP fires the tag only after consent 2. Or use a consent-aware loading approach: if (userHasConsented()) { // load analytics script } 3. Consider privacy-friendly analytics that do not require consent: - Plausible Analytics (EU-hosted, no cookies) - Fathom Analytics - Matomo (self-hosted, can be cookie-free) 4. For Facebook Pixel specifically: only fire events after consent and enable 'Limited Data Use' mode for California users
Exposed Files
No sensitive files exposedWhat is this?
The .env file is a configuration file used by Laravel, Node.js, and many other frameworks to store environment-specific settings such as database credentials, API keys, secret tokens, and application configuration.
Why does it matter?
Exposing .env gives attackers your database password, secret keys, and API credentials in a single file. This allows immediate database access, session forgery, and abuse of third-party services billed to you. It is one of the most critical vulnerabilities a web server can have.
How to fix it
Nginx — add to your server block: location ~ /\.env { deny all; return 404; } Apache — add to .htaccess: <Files ".env"> Order allow,deny Deny from all </Files> Also rotate all credentials immediately: database password, API keys, APP_KEY, etc. Assume they are already compromised.
What is this?
The .git directory is the repository created by Git to track version history, branches, commits, and file contents. When exposed via a web server, attackers can reconstruct the entire source code by downloading the repository files.
Why does it matter?
A publicly accessible .git directory gives attackers your complete source code including every past commit — even if you deleted sensitive files, they remain in the commit history. Attackers can find hardcoded credentials, API keys, business logic, and vulnerability patterns in the code.
How to fix it
Nginx — block access to .git: location ~ /\.git { deny all; return 404; } Apache — add to .htaccess: RedirectMatch 404 /\.git Alternatively, deploy from a build artifact rather than cloning directly to the web root. The .git directory should never exist in a production web root.
What is this?
phpinfo() is a built-in PHP function that outputs a detailed page showing the PHP version, configuration directives, loaded extensions, environment variables, server paths, and build information.
Why does it matter?
The phpinfo output gives attackers a detailed map of your server: exact PHP version (for CVE targeting), enabled extensions, file paths, and environment variables (which may include credentials). This is an information disclosure vulnerability that makes all other attacks easier to tailor.
How to fix it
Delete phpinfo.php (and any similar files like info.php, test.php, i.php) from your web root immediately: rm /var/www/html/phpinfo.php Search for any others: find /var/www -name 'phpinfo.php' -o -name 'info.php' Never create diagnostic files on production servers. Use staging environments for diagnostics.
What is this?
SQL backup files (backup.sql, dump.sql, database.sql, etc.) are plain-text exports of database content produced by tools like mysqldump. When accessible via HTTP, the entire database can be downloaded.
Why does it matter?
A publicly downloadable database backup gives attackers all user data, emails, password hashes (or worse, plaintext passwords), order records, and any other data your application stores. This is a direct GDPR/privacy law violation and gives attackers everything needed to impersonate or contact your users.
How to fix it
Move backups outside the web root: mv /var/www/html/backup.sql /var/backups/ Search for other SQL files: find /var/www -name '*.sql' Store backups in a non-public location or use encrypted cloud storage (S3 with private ACL). Never store backup files in any publicly accessible directory.
What is this?
wp-config.php.bak is a backup copy of the WordPress configuration file. WordPress itself protects wp-config.php but backup files with .bak, .old, or .orig extensions are served as plain text by most web servers.
Why does it matter?
This file contains the MySQL database credentials (DB_NAME, DB_USER, DB_PASSWORD, DB_HOST), authentication secret keys, and the database table prefix. With these credentials an attacker can access your entire WordPress database directly.
How to fix it
Delete the backup file immediately: rm /var/www/html/wp-config.php.bak Search for other wp-config variants: find /var/www -name 'wp-config*' To protect against accidental future exposure, add to .htaccess: <Files "wp-config.php"> Order deny,allow Deny from all </Files>
What is this?
.htpasswd is the file used by Apache to store usernames and hashed passwords for HTTP Basic Authentication. It normally sits above the web root or is protected by Apache configuration.
Why does it matter?
Even though passwords are hashed, exposing this file gives attackers a list of valid usernames and hashes to crack offline. Using tools like Hashcat, weak passwords (under 10 characters) can be cracked in minutes on modern hardware.
How to fix it
Apache normally protects .htpasswd files automatically via a built-in rule. If yours is accessible, your server config may have overridden this protection. Check your VirtualHost config and .htaccess for anything that might be serving the file. Add an explicit deny: <Files ".htpasswd"> Order allow,deny Deny from all </Files> Best practice: store .htpasswd above the web root entirely, not inside it.
What is this?
web.config is the IIS (Internet Information Services) configuration file, equivalent to Apache's .htaccess. It controls URL routing, authentication, custom errors, and application settings.
Why does it matter?
Exposed web.config files frequently contain database connection strings (including passwords), application secrets, custom error paths that reveal server internals, and authentication configurations. This is sensitive infrastructure information.
How to fix it
IIS should not serve web.config by default, but misconfigurations can expose it. Add a URL rewrite rule to block direct access: <rule name="Block web.config"> <match url="web\.config" /> <action type="CustomResponse" statusCode="404" /> </rule> Verify the IIS request filtering module is active and blocks config files.
What is this?
.git/config is the Git configuration file for your repository. It contains the remote repository URL, branch tracking settings, and sometimes embedded credentials.
Why does it matter?
Exposing .git/config lets attackers discover your private Git repository URL (GitHub, GitLab, Bitbucket). If credentials are embedded in the remote URL (e.g. https://username:token@github.com/...), they are directly exposed. The repository URL itself enables cloning your entire codebase.
How to fix it
Block all .git access at the web server level: Nginx: location ~ /\.git { deny all; return 404; } Apache (.htaccess): RedirectMatch 404 /\.git Or: never deploy .git directories to production servers. Use a CI/CD pipeline that only copies compiled/built files to the server, not the full git repository.
What is this?
composer.lock records the exact version of every PHP dependency installed in your project. It's created by Composer when you run `composer install`.
Why does it matter?
Exposing composer.lock gives attackers a precise inventory of every library in your application, including its exact version number. They can cross-reference this against CVE databases (cve.mitre.org, packagist advisories) to find unpatched vulnerabilities in your specific versions and craft targeted exploits.
How to fix it
Store composer.json and composer.lock above the web root: For Laravel: these files should be in the project root, with only the public/ subdirectory as the web root. Most Forge/Vapor deployments do this correctly by default. If your web root is the project root, block access: Nginx: location ~ /composer\.(json|lock) { deny all; } Apache: <FilesMatch "composer\.(json|lock)"> Deny from all </FilesMatch> Then run: composer audit To check for known vulnerabilities in your current dependencies.
What is this?
Apache's mod_status provides a /server-status page that shows real-time server statistics: active requests, client IP addresses, URLs being requested, server version, and performance metrics.
Why does it matter?
Exposing server-status leaks live visitor data (IPs, pages they're visiting), your exact Apache version, loaded modules, and server performance data. Attackers can use this to identify high-value endpoints, confirm server software, and monitor traffic patterns.
How to fix it
Restrict server-status to localhost only: <Location /server-status> Require local </Location> Or disable mod_status entirely if you don't need it: sudo a2dismod status sudo systemctl restart apache2 If you need remote monitoring access, restrict it to specific trusted IPs: Require ip 192.168.1.0/24
TLS / Cipher Strength
100/100TLS 1.3 supported
TLS 1.3 is supported — the most secure and performant TLS version.
TLS 1.2 supported
TLS 1.2 is supported — required as a minimum for modern compatibility.
TLS 1.1 disabled
TLS 1.1 is disabled — this deprecated version is correctly rejected.
TLS 1.0 disabled
TLS 1.0 is disabled — this obsolete version is correctly rejected.
Perfect Forward Secrecy (PFS)
Server supports ECDHE cipher suites — session keys are ephemeral and past sessions cannot be decrypted if the private key is ever compromised.
API Security
100/100API/docs endpoints
No publicly accessible API documentation or admin endpoints were found.
GraphQL introspection
No GraphQL endpoint detected.
WordPress user enumeration
WordPress user enumeration via REST API is not possible (or WordPress is not used).
Subdomain Takeover
Subdomain takeover
No subdomain takeover vulnerabilities detected.
Accessibility
35/100HTML lang attribute
No lang attribute found on the <html> element.
Fix: Add a lang attribute: <html lang="en"> or <html lang="nl">.
Viewport meta tag
No viewport meta tag found.
Fix: Add <meta name="viewport" content="width=device-width, initial-scale=1"> to your <head>.
Page title
No <title> tag found or title is empty.
Fix: Add a descriptive <title> tag to the <head> section.
Meta description
No meta description found.
Fix: Add <meta name="description" content="..."> to improve SEO and accessibility.
Image alt attributes
No images detected in the initial HTML.
Single H1 heading
No H1 heading found on the page.
Fix: Add a single <h1> tag that describes the main topic of the page.
Form labels
No form inputs requiring labels detected on this page.
Robots.txt & Sitemap
0/100robots.txt present
No robots.txt file found at /robots.txt.
Fix: Create a robots.txt file to guide search engine crawlers. Minimum: User-agent: * Disallow:
Sitemap referenced in robots.txt
robots.txt does not reference a sitemap.
Fix: Add a Sitemap: https://yourdomain.com/sitemap.xml line to robots.txt.
Sitemap accessible
No accessible XML sitemap found at /sitemap.xml or /sitemap_index.xml.
Fix: Create an XML sitemap and submit it to Google Search Console and Bing Webmaster Tools.
security.txt present
No security.txt found at /.well-known/security.txt.
Fix: Create a security.txt file (RFC 9116) with Contact: and Expires: fields to enable responsible vulnerability disclosure.
Branding & Social
0/100Favicon
No favicon detected.
Fix: Add a favicon.ico or <link rel="icon" href="/favicon.ico">. Use a 32×32px PNG or ICO file.
Apple Touch Icon
No Apple Touch Icon found.
Fix: Add <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"> for iOS home screen support.
Web App Manifest
No Web App Manifest found.
Fix: Add a manifest.json (or site.webmanifest) with name, icons, and theme_color for PWA support.
Open Graph title
No og:title meta tag found.
Fix: Add <meta property="og:title" content="..."> for proper social media previews on Facebook, LinkedIn, and WhatsApp.
Open Graph description
No og:description meta tag found.
Fix: Add <meta property="og:description" content="..."> for social media link previews.
Open Graph image
No og:image meta tag found.
Fix: Add <meta property="og:image" content="..."> with a 1200×630px image for social sharing previews.
Twitter/X Card
No twitter:card meta tag found.
Fix: Add <meta name="twitter:card" content="summary_large_image"> for rich link previews on X/Twitter.
Theme color
No theme-color meta tag found.
Fix: Add <meta name="theme-color" content="#yourcolor"> to brand the browser address bar on mobile.
Detected Technologies
No technologies detected from the page source and response headers.
Carbon & Sustainability
Green hosting
This website is hosted on green infrastructure (Unknown provider). The provider uses renewable energy or verified carbon offsets.
Response compression
No response compression (Gzip/Brotli) detected.
Fix: Enable Brotli or Gzip compression to reduce data transfer and energy consumption.
Broken Links
1 brokenPage fetch
Could not fetch the page to check for broken links.
Unlock the full security report
This Quick Scan covers 5 categories. Upgrade to Pro for OWASP Top 10 analysis, malware detection, exposed files, and 15 more scanners.
Full report
DNS & Email Security
0/100SPF record configured
No SPF record found. Anyone can send emails pretending to be from your domain.
Fix: Add a TXT record to your DNS: v=spf1 include:yourmailprovider.com ~all
DMARC record configured
No DMARC record found at _dmarc.alturnanetworks.nl.
Fix: Add a TXT record to _dmarc.alturnanetworks.nl: v=DMARC1; p=quarantine; rua=mailto:dmarc@alturnanetworks.nl
CAA record configured
No CAA record found. Any Certificate Authority can issue SSL certs for your domain.
Fix: Add a CAA DNS record, e.g.: 0 issue "letsencrypt.org" to restrict SSL issuance.
DKIM record configured
No DKIM record found for common selectors. DKIM cryptographically signs outgoing emails, making them verifiable and preventing tampering in transit.
Fix: Configure DKIM in your email provider (Google Workspace, Microsoft 365, etc.) and publish the TXT record they provide at {selector}._domainkey.alturnanetworks.nl
MTA-STS (email transport security)
No MTA-STS record found at _mta-sts.alturnanetworks.nl. Without it, email delivery to your domain could silently fall back to unencrypted connections.
Fix: Implement MTA-STS: add a TXT record at _mta-sts.alturnanetworks.nl with value "v=STSv1; id=YYYYMMDD01" and publish a policy file at https://mta-sts.alturnanetworks.nl/.well-known/mta-sts.txt
IPv6 support
No AAAA record found. The domain is IPv4-only.
Fix: Add an AAAA record to support IPv6. Most modern hosting providers and CDNs assign IPv6 addresses automatically.
BIMI record
No BIMI record found. BIMI lets your brand logo appear in email clients that support it — a trust and branding signal for recipients.
Fix: BIMI requires DMARC with p=quarantine or p=reject. Then add a TXT record at default._bimi.alturnanetworks.nl: v=BIMI1; l=https://yourdomain.com/logo.svg
DNSSEC
DNSSEC could not be confirmed via this check. Verify with your domain registrar.
Fix: Enable DNSSEC through your domain registrar to protect against DNS cache poisoning.
SSL & HTTPS
20/100HTTPS / SSL enabled
The website does not appear to support HTTPS.
Fix: Install an SSL certificate and redirect all traffic to HTTPS.
SSL certificate valid
SSL connection failed or certificate is invalid.
Fix: Install a valid SSL certificate from a trusted Certificate Authority.
HTTP redirects to HTTPS
HTTP traffic is permanently (301) redirected to HTTPS.
HSTS header configured
No Strict-Transport-Security (HSTS) header found.
Fix: Add: Strict-Transport-Security: max-age=31536000; includeSubDomains
Content & CMS
100/100No mixed content detected
No insecure HTTP resources (scripts, images, stylesheets) found in the page HTML.
CMS admin panel not publicly accessible
No publicly accessible CMS admin interface found at common paths.
CMS version not exposed
No CMS version information found in the page source.
Subresource Integrity (SRI)
No external scripts or stylesheets without Subresource Integrity hashes detected.
No open redirect
No open redirect detected via common redirect parameters.
Directory listing disabled
Directory listing is not enabled — files cannot be browsed directly.
Security Headers
9/100Server version not disclosed
The Server header does not expose version information.
Content-Security-Policy
No Content-Security-Policy header found.
Fix: Add a Content-Security-Policy header to restrict which resources the browser may load, preventing XSS attacks.
X-Frame-Options
No X-Frame-Options header found. The site may be vulnerable to clickjacking.
Fix: Add X-Frame-Options: DENY or SAMEORIGIN, or use CSP frame-ancestors.
X-Content-Type-Options
X-Content-Type-Options header is missing.
Fix: Add X-Content-Type-Options: nosniff to prevent browsers from MIME-sniffing responses.
Referrer-Policy
No Referrer-Policy header found.
Fix: Add Referrer-Policy: strict-origin-when-cross-origin to control how much referrer info is sent.
Permissions-Policy
No Permissions-Policy header found.
Fix: Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation.
Cross-Origin-Opener-Policy
No Cross-Origin-Opener-Policy (COOP) header found.
Fix: Add Cross-Origin-Opener-Policy: same-origin to isolate your browsing context and protect against cross-origin attacks and Spectre-like vulnerabilities.
Cross-Origin-Embedder-Policy
No Cross-Origin-Embedder-Policy (COEP) header found.
Fix: Add Cross-Origin-Embedder-Policy: require-corp to enable advanced browser isolation features (required for SharedArrayBuffer and high-resolution timers).
Performance & SEO
0/100Fast server response time (TTFB)
Could not measure server response time.
Response compression enabled
No gzip or Brotli compression detected.
Fix: Enable gzip or Brotli compression on your web server. This typically reduces HTML/CSS/JS size by 60-80%.
robots.txt present
No robots.txt file found.
Fix: Create a robots.txt file to guide search engine crawlers and prevent indexing of sensitive paths.
XML sitemap present
No sitemap.xml found at common locations (/sitemap.xml, /sitemap_index.xml).
Fix: Create and submit an XML sitemap to Google Search Console to improve search indexing.
security.txt present
No security.txt file found at /.well-known/security.txt or /security.txt.
Fix: Create a security.txt file (RFC 9116) at /.well-known/security.txt to provide security researchers with a responsible disclosure contact.
Critical issues (15)
What is this?
Sender Policy Framework (SPF) is a DNS TXT record that specifies which mail servers are authorised to send email on behalf of your domain.
Why does it matter?
Without SPF, anyone can send emails that appear to come from your domain (email spoofing). This is used in phishing attacks to impersonate your business. SPF tells receiving mail servers which IPs are legitimate senders.
How to fix it
Add a TXT record to your domain\'s DNS: Host: @ (apex domain) Value: v=spf1 include:_spf.yourmailprovider.com ~all Examples: Google Workspace: v=spf1 include:_spf.google.com ~all Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all Mailchimp: v=spf1 include:servers.mcsv.net ~all Use ~all (softfail) to start, upgrade to -all (hard fail) once you're confident all sending sources are listed. Never use +all.
What is this?
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to give domain owners control over what happens to emails that fail authentication checks.
Why does it matter?
SPF alone is not enough — DMARC adds a policy layer that tells receiving servers what to do with suspicious emails (monitor, quarantine, or reject). It also provides reporting so you can see who is sending email as your domain.
How to fix it
Add a TXT record to your DNS: Host: _dmarc (e.g. _dmarc.yourdomain.com) Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com Start with p=none to receive reports without affecting mail delivery: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com After analysing reports for a few weeks, upgrade to: p=quarantine → suspicious mail goes to spam p=reject → suspicious mail is blocked entirely Free DMARC report analysis: dmarcian.com, postmarkapp.com/dmarc.
What is this?
HTTPS (HyperText Transfer Protocol Secure) encrypts all communication between the visitor's browser and your server using TLS (Transport Layer Security). Without it, data is sent in plain text.
Why does it matter?
Without HTTPS, anyone on the same network (coffee shop Wi-Fi, corporate proxy) can read or modify the data being transferred — including passwords, form submissions and personal information. Google also ranks HTTPS sites higher and Chrome marks HTTP sites as "Not Secure".
How to fix it
Install a TLS certificate on your web server. Free certificates are available via Let's Encrypt (certbot.eff.org). Most hosting panels (cPanel, Plesk, Forge) have one-click SSL installation. After installing, configure your server to redirect all HTTP traffic to HTTPS.
What is this?
An SSL/TLS certificate has an expiry date. Once expired, browsers show a full-page warning to visitors and refuse to connect without clicking through a security warning.
Why does it matter?
An expired certificate breaks trust immediately — visitors see a red warning screen and most will leave. Search engines may also de-index or lower the ranking of sites with certificate errors.
How to fix it
Renew your certificate before it expires. If you use Let's Encrypt, set up auto-renewal with certbot (sudo certbot renew --dry-run to test). Most hosting providers send expiry warnings by email. Set a calendar reminder at 30 and 7 days before expiry.
What is this?
HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only ever connect to your site over HTTPS — even if the user types http:// or clicks an http:// link. The browser enforces this locally for the duration of max-age.
Why does it matter?
Even with an HTTP redirect in place, the very first request could go over HTTP before being redirected. A network attacker could intercept that first request (SSL stripping attack). HSTS prevents this by making the browser upgrade to HTTPS before making any request.
How to fix it
Add this header to your HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Only add HSTS after you are certain your entire site works over HTTPS, including all subdomains if you use includeSubDomains.
What is this?
Content Security Policy (CSP) is a browser security feature that lets you control which resources (scripts, styles, images, fonts) a page is allowed to load, and from which origins.
Why does it matter?
CSP is one of the most effective defences against Cross-Site Scripting (XSS) attacks. Without CSP, an attacker who injects malicious JavaScript into your page can load resources from anywhere, steal session cookies, or redirect users.
How to fix it
Add a Content-Security-Policy header. Start with a report-only policy to detect issues without breaking anything: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; Once tested, switch to enforcing: Content-Security-Policy: default-src 'self'; ... CSP policies can be complex for sites with third-party scripts. Use https://csp-evaluator.withgoogle.com/ to evaluate your policy.
What is this?
X-Frame-Options controls whether your website can be embedded in an <iframe>, <frame>, or <object> on another website.
Why does it matter?
Without this header, attackers can embed your site invisibly in an iframe on a malicious page and trick users into clicking buttons or links without knowing it (clickjacking). This can be used to perform actions on behalf of a logged-in user.
How to fix it
Add one of these response headers: X-Frame-Options: DENY — prevents all framing X-Frame-Options: SAMEORIGIN — allows framing only from the same domain Nginx: add_header X-Frame-Options "SAMEORIGIN" always; Apache: Header always set X-Frame-Options "SAMEORIGIN" Modern alternative: use CSP with frame-ancestors directive: Content-Security-Policy: frame-ancestors 'self';
What is this?
X-Content-Type-Options with the value "nosniff" tells browsers not to guess (sniff) the content type of a response, but to strictly use the Content-Type header the server sends.
Why does it matter?
Without this header, a browser might interpret an uploaded text file as JavaScript if it contains script-like content — a technique attackers can exploit to run malicious code even when file uploads are allowed.
How to fix it
Add this header to all responses: X-Content-Type-Options: nosniff Nginx: add_header X-Content-Type-Options "nosniff" always; Apache: Header always set X-Content-Type-Options "nosniff" Laravel: add to middleware or in .htaccess.
What is this?
The Referrer-Policy header controls how much information about the originating page is included in the Referer header when a user navigates away from your site or when resources are loaded.
Why does it matter?
Without a Referrer-Policy, the full URL of the current page (which may include session tokens, user IDs, or sensitive paths) is sent to external sites in the Referer header. This can leak private information to third-party analytics, CDN providers, or ad networks.
How to fix it
Recommended value: Referrer-Policy: strict-origin-when-cross-origin (sends origin only for cross-origin requests, full URL for same-origin) Nginx: add_header Referrer-Policy "strict-origin-when-cross-origin" always; Apache: Header always set Referrer-Policy "strict-origin-when-cross-origin" Alternatives: no-referrer (most private), same-origin (no cross-origin referrer).
What is this?
Time To First Byte (TTFB) is the time between the browser sending a request and receiving the first byte of the response from the server. It reflects server processing time, not download speed.
Why does it matter?
A slow TTFB means the server takes too long to process each request — caused by slow database queries, no caching, or underpowered hosting. Google uses TTFB as a signal in Core Web Vitals. Pages with high TTFB feel slow even on fast connections.
How to fix it
Common fixes depending on the cause: 1. Enable server-side caching - WordPress: WP Super Cache, W3 Total Cache - Laravel: Response caching, OPcache - Nginx: FastCGI cache 2. Add a CDN (Content Delivery Network) - Cloudflare (free tier available) - Serves cached responses from edge servers close to the visitor 3. Optimise slow database queries - Enable query logging and identify N+1 problems - Add database indexes 4. Upgrade hosting - Shared hosting often has high TTFB under load - Consider a VPS or managed hosting like Laravel Forge + DigitalOcean Note: our measurement is taken from our server. Geographic distance adds latency — use a CDN to reduce this globally.
What is this?
Response compression (gzip or Brotli) reduces the size of HTML, CSS, JavaScript and other text-based responses before sending them over the network.
Why does it matter?
Compression typically reduces text file sizes by 60–80%. A 200 KB JavaScript file becomes ~50 KB. This directly reduces page load time, especially on slower connections, and reduces bandwidth costs.
How to fix it
Nginx: gzip on; gzip_types text/plain text/css application/javascript application/json; gzip_min_length 1000; For Brotli (better compression, requires ngx_brotli module): brotli on; brotli_types text/plain text/css application/javascript; Apache (.htaccess): AddOutputFilterByType DEFLATE text/html text/css application/javascript Cloudflare: enables compression automatically — no server config needed.
Warnings (23)
What is this?
CAA (Certification Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
Why does it matter?
Without CAA records, any of the hundreds of trusted CAs worldwide can issue a certificate for your domain. A compromised or rogue CA could issue a fraudulent certificate for your domain, enabling MITM attacks. CAA limits this risk to your chosen CA(s).
How to fix it
Add CAA records to your DNS. Example for Let\'s Encrypt only: 0 issue "letsencrypt.org" For multiple CAs (e.g. Let\'s Encrypt + DigiCert): 0 issue "letsencrypt.org" 0 issue "digicert.com" To also allow wildcard certificates: 0 issuewild "letsencrypt.org" For email notifications on unauthorized issuance attempts: 0 iodef "mailto:security@yourdomain.com" Check current CAA records at: sslmate.com/caa
What is this?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The signature is created with a private key on your mail server and verified by recipients using a public key published in DNS.
Why does it matter?
DKIM proves that an email actually came from your mail server and was not modified in transit. Without DKIM, anyone can send emails that appear to be from your domain (spoofing), and DMARC alignment checks will fail even if SPF passes.
How to fix it
DKIM is configured in your email provider, not directly in DNS. Here is the process: 1. Generate a DKIM key pair in your email provider: - Google Workspace: Admin console → Apps → Gmail → Authenticate email - Microsoft 365: Admin center → Settings → Domains → DKIM - Mailchimp/SendGrid/Mailjet: Each has a DKIM setup page in their dashboard 2. Copy the TXT record they provide and add it to your DNS: Name: selector._domainkey.yourdomain.com Value: v=DKIM1; k=rsa; p=MIGf... 3. Activate DKIM signing in your provider after publishing the DNS record. The selector name (e.g. 'google', 'selector1') comes from your email provider.
What is this?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that forces other mail servers to use encrypted TLS connections when delivering email to your domain. Without it, a network attacker could silently strip TLS from email in transit.
Why does it matter?
Email is delivered between servers using SMTP. By default, SMTP tries TLS but falls back to plaintext if TLS is not available — a downgrade attack. MTA-STS prevents this fallback, ensuring all email delivered to your domain is encrypted in transit.
How to fix it
Implementing MTA-STS requires two things: 1. A DNS TXT record at _mta-sts.yourdomain.com: v=STSv1; id=20240101001 2. A policy file hosted at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt Policy file content: version: STSv1 mode: enforce mx: mail.yourdomain.com max_age: 86400 Start with mode: testing to see reports before enforcing. Use mta-sts.io for a guided setup.
What is this?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and have not been tampered with.
Why does it matter?
Without DNSSEC, DNS responses can be forged (DNS cache poisoning / BGP hijacking), redirecting your visitors to a fake server without them knowing. DNSSEC ensures the DNS record they receive is the one you published.
How to fix it
DNSSEC must be enabled at both your DNS registrar and your DNS hosting provider: 1. Enable DNSSEC at your domain registrar (Namecheap, GoDaddy, TransIP, etc.) 2. Enable DNSSEC signing at your DNS host (Cloudflare enables this automatically) 3. The registrar publishes DS records pointing to your zone\'s key If you use Cloudflare: enable DNSSEC with one click in the DNS tab. Note: DNSSEC is difficult to set up incorrectly — misconfiguration can take your domain offline. Follow your registrar\'s guide carefully.
What is this?
Permissions-Policy (formerly Feature-Policy) lets you control which browser features and APIs your site is allowed to use, and whether third-party content embedded in iframes can access them.
Why does it matter?
Without this header, embedded third-party scripts or iframes could theoretically request access to the camera, microphone, geolocation, payment APIs, and more. Restricting these features reduces your attack surface.
How to fix it
Example header that disables features not needed for most sites: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() Nginx: add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; Apache: Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" Only disable features you genuinely don't use. Adding this header is a low-effort, high-value improvement.
What is this?
robots.txt is a plain text file at the root of your website that tells search engine crawlers which pages they are and aren't allowed to index.
Why does it matter?
Without a robots.txt, crawlers may index admin panels, staging areas, duplicate content, or other pages that should not appear in search results. A well-configured robots.txt also prevents crawl budget waste on unimportant pages.
How to fix it
Create a file at https://yourdomain.com/robots.txt with at minimum: User-agent: * Disallow: Sitemap: https://yourdomain.com/sitemap.xml To block specific paths: User-agent: * Disallow: /admin/ Disallow: /private/ Allow: / WordPress: generated automatically. Check Settings > Reading. Laravel: create public/robots.txt manually.
What is this?
An XML sitemap is a file that lists all the important URLs on your website, helping search engines discover and index your pages more efficiently.
Why does it matter?
Search engines may miss pages that are not linked from anywhere (orphan pages) or pages deep in your site structure. A sitemap ensures they are found and indexed. It also allows you to signal content priority and update frequency.
How to fix it
Create an XML sitemap at https://yourdomain.com/sitemap.xml WordPress: install Yoast SEO or use the built-in sitemap at /wp-sitemap.xml Laravel: use spatie/laravel-sitemap package Static sites: generate with a sitemap generator tool After creating your sitemap, submit it to: - Google Search Console: search.google.com/search-console - Bing Webmaster Tools: bing.com/webmasters Also reference it in your robots.txt: Sitemap: https://yourdomain.com/sitemap.xml
Get this report emailed to you
Create a free account to save your scan results, monitor your sites, and get alerted when your score drops.
Show visitors your security score with an embeddable badge. It updates automatically when you rescan.
<a href="https://webcheckapp.com/scan/f87xnmNTXpNqX4ok">
<img src="https://webcheckapp.com/scan/f87xnmNTXpNqX4ok/badge" alt="Security score: 37/100">
</a>