Security report for
ozomafabrica.com
Scanned 4 hours ago
Executive Summary
PDF PROWe performed a comprehensive security analysis of ozomafabrica.com across 5 categories. The website received an overall score of 51/100 (grade D+), with 6 critical issues, 5 warnings, and 16 passed checks.
Overall assessment: ozomafabrica.com has significant security gaps that should be addressed as soon as possible. The current configuration leaves the website vulnerable to common attacks. We strongly recommend reviewing the critical issues listed in this report and implementing the recommended fixes without delay.
Top priority fixes:
Strong areas
Security Headers
Needs improvement
Content & CMS
Performance & SEO
Needs work
SSL & HTTPS
DNS & Email Security
Website Health Check
Simple overview for everyoneIs my website safe for visitors?
Not fully — your website is missing important security protections that keep visitors safe.
Can my website be found by Google?
Yes — your website is accessible to search engines and loads at a reasonable speed.
Is my email protected against spoofing?
Not fully — attackers could send fake emails pretending to be from your domain. This is used in phishing attacks.
Is my website leaking sensitive data?
No leaks detected — configuration files and sensitive data appear to be properly protected.
Does my website respect visitor privacy?
Yes — a privacy policy and cookie consent appear to be in place.
New issues
Trust & WHOIS
See domain age, registrar, expiry date, server location, and reputation checks across security databases.
Malware & Reputation
Check if your site is flagged by malware databases, blacklists, and antivirus vendors worldwide.
Advanced Security Checks
Detect open ports, exposed files, API vulnerabilities, TLS weaknesses, and subdomain takeover risks.
Privacy & GDPR
Analyze cookie consent, privacy policy presence, third-party trackers, and GDPR compliance signals.
Quality & Accessibility
Check accessibility compliance, robots.txt, branding, broken links, and carbon footprint.
Unlock the full security report
This Quick Scan covers 5 categories. Upgrade to Pro for OWASP Top 10 analysis, malware detection, exposed files, and 15 more scanners.
Full report
DNS & Email Security
29/100SPF record configured
No SPF record found. Anyone can send emails pretending to be from your domain.
Fix: Add a TXT record to your DNS: v=spf1 include:yourmailprovider.com ~all
DMARC record configured
DMARC record found with policy "reject": "v=DMARC1; p=reject; rua=mailto:ozomadiseno@gmail.com".
CAA record configured
No CAA record found. Any Certificate Authority can issue SSL certs for your domain.
Fix: Add a CAA DNS record, e.g.: 0 issue "letsencrypt.org" to restrict SSL issuance.
DKIM record configured
No DKIM record found for common selectors. DKIM cryptographically signs outgoing emails, making them verifiable and preventing tampering in transit.
Fix: Configure DKIM in your email provider (Google Workspace, Microsoft 365, etc.) and publish the TXT record they provide at {selector}._domainkey.ozomafabrica.com
MTA-STS (email transport security)
No MTA-STS record found at _mta-sts.ozomafabrica.com. Without it, email delivery to your domain could silently fall back to unencrypted connections.
Fix: Implement MTA-STS: add a TXT record at _mta-sts.ozomafabrica.com with value "v=STSv1; id=YYYYMMDD01" and publish a policy file at https://mta-sts.ozomafabrica.com/.well-known/mta-sts.txt
IPv6 support
Domain has an AAAA record — IPv6 is supported.
BIMI record
No BIMI record found. BIMI lets your brand logo appear in email clients that support it — a trust and branding signal for recipients.
Fix: BIMI requires DMARC with p=quarantine or p=reject. Then add a TXT record at default._bimi.ozomafabrica.com: v=BIMI1; l=https://yourdomain.com/logo.svg
DNSSEC
DNSSEC could not be verified via this automated check (PHP DNS resolvers strip DNSSEC data). Check with your domain registrar or use dnsviz.net to verify.
SSL & HTTPS
20/100HTTPS / SSL enabled
The website does not appear to support HTTPS.
Fix: Install an SSL certificate and redirect all traffic to HTTPS.
SSL certificate valid
SSL connection failed or certificate is invalid.
Fix: Install a valid SSL certificate from a trusted Certificate Authority.
HTTP redirects to HTTPS
HTTP traffic is permanently (301) redirected to HTTPS.
HSTS header configured
No Strict-Transport-Security (HSTS) header found.
Fix: Add: Strict-Transport-Security: max-age=31536000; includeSubDomains
Content & CMS
77/100No mixed content detected
Found 1 resource(s) loaded over HTTP on this HTTPS page. Browsers will block or warn about these.
Fix: Update all resource URLs (src, action, stylesheet href) to use HTTPS.
CMS admin panel not publicly accessible
No publicly accessible CMS admin interface found at common paths.
CMS version not exposed
No CMS version information found in the page source.
Subresource Integrity (SRI)
No external scripts or stylesheets without Subresource Integrity hashes detected.
No open redirect
No open redirect detected via common redirect parameters.
Directory listing disabled
Directory listing is not enabled — files cannot be browsed directly.
Security Headers
83/100Server version not disclosed
The Server header does not expose version information.
Content-Security-Policy
CSP is set but weakened by 'unsafe-inline' and 'unsafe-eval' in script-src. These directives allow inline scripts and effectively disable XSS injection protection.
Fix: Remove 'unsafe-inline' and 'unsafe-eval' from your CSP. Replace inline scripts with external files or use nonces/hashes. Test your policy at https://csp-evaluator.withgoogle.com/
X-Frame-Options
X-Frame-Options: SAMEORIGIN — protects against clickjacking.
X-Content-Type-Options
X-Content-Type-Options: nosniff is set — prevents MIME-type sniffing.
Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy
Permissions-Policy header found — browser feature access is restricted.
Cross-Origin-Opener-Policy
No Cross-Origin-Opener-Policy (COOP) header found. Note: COOP can break popup-based flows (payments, OAuth) and browser back/forward cache.
Fix: Consider adding Cross-Origin-Opener-Policy: same-origin if your site does not use cross-origin popups.
Cross-Origin-Embedder-Policy
No Cross-Origin-Embedder-Policy (COEP) header found. Note: COEP breaks external embeds (YouTube, maps, ads) that don't send CORP headers.
Fix: Consider adding Cross-Origin-Embedder-Policy: require-corp only if your site does not embed third-party content.
Performance & SEO
75/100Fast server response time (TTFB)
Could not measure server response time.
Response compression enabled
Compression is enabled (br) — reduces transfer size and speeds up page loads.
robots.txt present
A robots.txt file was found and is accessible.
XML sitemap present
An XML sitemap was found — helps search engines discover and index your pages.
security.txt present
No security.txt file found at /.well-known/security.txt or /security.txt.
Fix: Create a security.txt file (RFC 9116) at /.well-known/security.txt to provide security researchers with a responsible disclosure contact.
Critical issues (6)
What is this?
Sender Policy Framework (SPF) is a DNS TXT record that specifies which mail servers are authorised to send email on behalf of your domain.
Why does it matter?
Without SPF, anyone can send emails that appear to come from your domain (email spoofing). This is used in phishing attacks to impersonate your business. SPF tells receiving mail servers which IPs are legitimate senders.
How to fix it
Add a TXT record to your domain\'s DNS: Host: @ (apex domain) Value: v=spf1 include:_spf.yourmailprovider.com ~all Examples: Google Workspace: v=spf1 include:_spf.google.com ~all Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all Mailchimp: v=spf1 include:servers.mcsv.net ~all Use ~all (softfail) to start, upgrade to -all (hard fail) once you're confident all sending sources are listed. Never use +all.
What is this?
HTTPS (HyperText Transfer Protocol Secure) encrypts all communication between the visitor's browser and your server using TLS (Transport Layer Security). Without it, data is sent in plain text.
Why does it matter?
Without HTTPS, anyone on the same network (coffee shop Wi-Fi, corporate proxy) can read or modify the data being transferred — including passwords, form submissions and personal information. Google also ranks HTTPS sites higher and Chrome marks HTTP sites as "Not Secure".
How to fix it
Install a TLS certificate on your web server. Free certificates are available via Let's Encrypt (certbot.eff.org). Most hosting panels (cPanel, Plesk, Forge) have one-click SSL installation. After installing, configure your server to redirect all HTTP traffic to HTTPS.
What is this?
An SSL/TLS certificate has an expiry date. Once expired, browsers show a full-page warning to visitors and refuse to connect without clicking through a security warning.
Why does it matter?
An expired certificate breaks trust immediately — visitors see a red warning screen and most will leave. Search engines may also de-index or lower the ranking of sites with certificate errors.
How to fix it
Renew your certificate before it expires. If you use Let's Encrypt, set up auto-renewal with certbot (sudo certbot renew --dry-run to test). Most hosting providers send expiry warnings by email. Set a calendar reminder at 30 and 7 days before expiry.
What is this?
HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only ever connect to your site over HTTPS — even if the user types http:// or clicks an http:// link. The browser enforces this locally for the duration of max-age.
Why does it matter?
Even with an HTTP redirect in place, the very first request could go over HTTP before being redirected. A network attacker could intercept that first request (SSL stripping attack). HSTS prevents this by making the browser upgrade to HTTPS before making any request.
How to fix it
Add this header to your HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Only add HSTS after you are certain your entire site works over HTTPS, including all subdomains if you use includeSubDomains.
What is this?
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP. The page itself is served securely, but some of its resources are not.
Why does it matter?
Mixed active content (scripts, stylesheets) is blocked by modern browsers entirely, breaking the page. Mixed passive content (images) triggers a "Not Secure" warning. Even one HTTP resource means the page is not fully secure — the HTTP resource can be intercepted and modified.
How to fix it
Find all HTTP resource URLs in your HTML source and update them to HTTPS. Look for: - <script src="http://..."> - <link href="http://..."> - <img src="http://..."> - background-image: url('http://...') WordPress: use the Better Search Replace plugin to update URLs in the database from http:// to https://. If you can\'t change the resource URL, consider hosting the resource yourself over HTTPS.
What is this?
Time To First Byte (TTFB) is the time between the browser sending a request and receiving the first byte of the response from the server. It reflects server processing time, not download speed.
Why does it matter?
A slow TTFB means the server takes too long to process each request — caused by slow database queries, no caching, or underpowered hosting. Google uses TTFB as a signal in Core Web Vitals. Pages with high TTFB feel slow even on fast connections.
How to fix it
Common fixes depending on the cause: 1. Enable server-side caching - WordPress: WP Super Cache, W3 Total Cache - Laravel: Response caching, OPcache - Nginx: FastCGI cache 2. Add a CDN (Content Delivery Network) - Cloudflare (free tier available) - Serves cached responses from edge servers close to the visitor 3. Optimise slow database queries - Enable query logging and identify N+1 problems - Add database indexes 4. Upgrade hosting - Shared hosting often has high TTFB under load - Consider a VPS or managed hosting like Laravel Forge + DigitalOcean Note: our measurement is taken from our server. Geographic distance adds latency — use a CDN to reduce this globally.
Warnings (5)
What is this?
CAA (Certification Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
Why does it matter?
Without CAA records, any of the hundreds of trusted CAs worldwide can issue a certificate for your domain. A compromised or rogue CA could issue a fraudulent certificate for your domain, enabling MITM attacks. CAA limits this risk to your chosen CA(s).
How to fix it
Add CAA records to your DNS. Example for Let\'s Encrypt only: 0 issue "letsencrypt.org" For multiple CAs (e.g. Let\'s Encrypt + DigiCert): 0 issue "letsencrypt.org" 0 issue "digicert.com" To also allow wildcard certificates: 0 issuewild "letsencrypt.org" For email notifications on unauthorized issuance attempts: 0 iodef "mailto:security@yourdomain.com" Check current CAA records at: sslmate.com/caa
What is this?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The signature is created with a private key on your mail server and verified by recipients using a public key published in DNS.
Why does it matter?
DKIM proves that an email actually came from your mail server and was not modified in transit. Without DKIM, anyone can send emails that appear to be from your domain (spoofing), and DMARC alignment checks will fail even if SPF passes.
How to fix it
DKIM is configured in your email provider, not directly in DNS. Here is the process: 1. Generate a DKIM key pair in your email provider: - Google Workspace: Admin console → Apps → Gmail → Authenticate email - Microsoft 365: Admin center → Settings → Domains → DKIM - Mailchimp/SendGrid/Mailjet: Each has a DKIM setup page in their dashboard 2. Copy the TXT record they provide and add it to your DNS: Name: selector._domainkey.yourdomain.com Value: v=DKIM1; k=rsa; p=MIGf... 3. Activate DKIM signing in your provider after publishing the DNS record. The selector name (e.g. 'google', 'selector1') comes from your email provider.
What is this?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that forces other mail servers to use encrypted TLS connections when delivering email to your domain. Without it, a network attacker could silently strip TLS from email in transit.
Why does it matter?
Email is delivered between servers using SMTP. By default, SMTP tries TLS but falls back to plaintext if TLS is not available — a downgrade attack. MTA-STS prevents this fallback, ensuring all email delivered to your domain is encrypted in transit.
How to fix it
Implementing MTA-STS requires two things: 1. A DNS TXT record at _mta-sts.yourdomain.com: v=STSv1; id=20240101001 2. A policy file hosted at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt Policy file content: version: STSv1 mode: enforce mx: mail.yourdomain.com max_age: 86400 Start with mode: testing to see reports before enforcing. Use mta-sts.io for a guided setup.
What is this?
Content Security Policy (CSP) is a browser security feature that lets you control which resources (scripts, styles, images, fonts) a page is allowed to load, and from which origins.
Why does it matter?
CSP is one of the most effective defences against Cross-Site Scripting (XSS) attacks. Without CSP, an attacker who injects malicious JavaScript into your page can load resources from anywhere, steal session cookies, or redirect users.
How to fix it
Add a Content-Security-Policy header. Start with a report-only policy to detect issues without breaking anything: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; Once tested, switch to enforcing: Content-Security-Policy: default-src 'self'; ... CSP policies can be complex for sites with third-party scripts. Use https://csp-evaluator.withgoogle.com/ to evaluate your policy.
Get this report emailed to you
Create a free account to save your scan results, monitor your sites, and get alerted when your score drops.
Show visitors your security score with an embeddable badge. It updates automatically when you rescan.
<a href="https://webcheckapp.com/scan/lvAp8wanqUOjHCYs">
<img src="https://webcheckapp.com/scan/lvAp8wanqUOjHCYs/badge" alt="Security score: 51/100">
</a>