Security report for
alturnanetworks.com
Scanned 5 hours ago
Executive Summary
PDF PROWe performed a comprehensive security analysis of alturnanetworks.com across 5 categories. The website received an overall score of 56/100 (grade C-), with 8 critical issues, 11 warnings, and 15 passed checks.
Overall assessment: alturnanetworks.com has significant security gaps that should be addressed as soon as possible. The current configuration leaves the website vulnerable to common attacks. We strongly recommend reviewing the critical issues listed in this report and implementing the recommended fixes without delay.
Top priority fixes:
Strong areas
Performance & SEO
Needs improvement
DNS & Email Security
SSL & HTTPS
Needs work
Security Headers
Content & CMS
Website Health Check
Simple overview for everyoneIs my website safe for visitors?
Not fully — your website is missing important security protections that keep visitors safe.
Can my website be found by Google?
Yes — your website is accessible to search engines and loads at a reasonable speed.
Is my email protected against spoofing?
Yes — your domain has email authentication records (SPF/DMARC) that prevent others from sending fake emails on your behalf.
Is my website leaking sensitive data?
Potential leaks found — some sensitive files or information may be publicly accessible to anyone.
Does my website respect visitor privacy?
Yes — a privacy policy and cookie consent appear to be in place.
Trust & WHOIS
See domain age, registrar, expiry date, server location, and reputation checks across security databases.
Malware & Reputation
Check if your site is flagged by malware databases, blacklists, and antivirus vendors worldwide.
Advanced Security Checks
Detect open ports, exposed files, API vulnerabilities, TLS weaknesses, and subdomain takeover risks.
Privacy & GDPR
Analyze cookie consent, privacy policy presence, third-party trackers, and GDPR compliance signals.
Quality & Accessibility
Check accessibility compliance, robots.txt, branding, broken links, and carbon footprint.
Unlock the full security report
This Quick Scan covers 5 categories. Upgrade to Pro for OWASP Top 10 analysis, malware detection, exposed files, and 15 more scanners.
Full report
DNS & Email Security
75/100SPF record configured
SPF record found: "v=spf1 include:spf.protection.outlook.com mx ip4:37.97.253.46/32 ip4:90.145.24.138/32 ip6:2a01:7c8:aab2:12d::/48 a:alturnanetworks.com a:dev.alturnanetworks.com a:floris.alturnanetworks.com a:backupext.alturnanetworks.com include:email.nmbrsapp.com include:sendgrid.net ~all".
DMARC record configured
DMARC record found with policy "quarantine": "v=DMARC1; p=quarantine; rua=mailto:it@alturnanetworks.com;".
CAA record configured
No CAA record found. Any Certificate Authority can issue SSL certs for your domain.
Fix: Add a CAA DNS record, e.g.: 0 issue "letsencrypt.org" to restrict SSL issuance.
DKIM record configured
DKIM record found (selector "k2") — outgoing emails are cryptographically signed.
MTA-STS (email transport security)
No MTA-STS record found at _mta-sts.alturnanetworks.com. Without it, email delivery to your domain could silently fall back to unencrypted connections.
Fix: Implement MTA-STS: add a TXT record at _mta-sts.alturnanetworks.com with value "v=STSv1; id=YYYYMMDD01" and publish a policy file at https://mta-sts.alturnanetworks.com/.well-known/mta-sts.txt
IPv6 support
No AAAA record found. The domain is IPv4-only.
Fix: Add an AAAA record to support IPv6. Most modern hosting providers and CDNs assign IPv6 addresses automatically.
BIMI record
No BIMI record found. BIMI lets your brand logo appear in email clients that support it — a trust and branding signal for recipients.
Fix: BIMI requires DMARC with p=quarantine or p=reject. Then add a TXT record at default._bimi.alturnanetworks.com: v=BIMI1; l=https://yourdomain.com/logo.svg
DNSSEC
DNSSEC could not be confirmed via this check. Verify with your domain registrar.
Fix: Enable DNSSEC through your domain registrar to protect against DNS cache poisoning.
SSL & HTTPS
73/100HTTPS / SSL enabled
The website is accessible over HTTPS.
SSL certificate valid
Certificate is valid and expires on 2026-05-10 (36 days left).
HTTP redirects to HTTPS
HTTP traffic is permanently (301) redirected to HTTPS.
HSTS header configured
No Strict-Transport-Security (HSTS) header found.
Fix: Add: Strict-Transport-Security: max-age=31536000; includeSubDomains
No weak cipher suites
Server accepts weak cipher suite(s): RC4, 3DES, EXPORT, NULL. These ciphers have known cryptographic weaknesses.
Fix: Restrict your cipher list in your server config: Nginx: ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!3DES:!RC4; Apache: SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!RC4 Then reload your server.
TLS 1.0 and 1.1 disabled
Server only accepts TLS 1.2 or higher. Deprecated TLS versions are not supported.
Content & CMS
45/100No mixed content detected
Found 2 resource(s) loaded over HTTP on this HTTPS page. Browsers will block or warn about these.
Fix: Update all resource URLs (src, action, stylesheet href) to use HTTPS.
CMS admin panel not publicly accessible
A CMS admin panel is directly accessible at /wp-login.php. Ensure it requires strong authentication.
Fix: Restrict admin access by IP address, or add two-factor authentication.
CMS version not exposed
WordPress detected. Version "6.3.8" is exposed in the page source, which helps attackers target known vulnerabilities.
Fix: Remove the generator meta tag and strip ?ver= parameters from script/style URLs.
WordPress XML-RPC disabled
WordPress XML-RPC endpoint is not publicly accessible.
WordPress user enumeration blocked
WordPress REST API user endpoint is not publicly accessible.
Subresource Integrity (SRI)
36 of 36 external script(s)/stylesheet(s) load without an integrity= hash. If the CDN is compromised, malicious code could be silently injected into your pages.
Fix: Add integrity= and crossorigin= attributes to external <script> and <link> tags. Generate hashes at https://www.srihash.org/
No open redirect
No open redirect detected via common redirect parameters.
Directory listing disabled
Directory listing is not enabled — files cannot be browsed directly.
Security Headers
4/100Server version not disclosed
Server header reveals version: "Apache/2.4.29 (Ubuntu)".
Fix: Configure your web server to suppress the version number from the Server header.
Content-Security-Policy
No Content-Security-Policy header found.
Fix: Add a Content-Security-Policy header to restrict which resources the browser may load, preventing XSS attacks.
X-Frame-Options
No X-Frame-Options header found. The site may be vulnerable to clickjacking.
Fix: Add X-Frame-Options: DENY or SAMEORIGIN, or use CSP frame-ancestors.
X-Content-Type-Options
X-Content-Type-Options header is missing.
Fix: Add X-Content-Type-Options: nosniff to prevent browsers from MIME-sniffing responses.
Referrer-Policy
No Referrer-Policy header found.
Fix: Add Referrer-Policy: strict-origin-when-cross-origin to control how much referrer info is sent.
Permissions-Policy
No Permissions-Policy header found.
Fix: Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation.
Cookie security flags
One or more cookies are missing security flags: _icl_current_language (missing: HttpOnly, Secure, SameSite).
Fix: Set HttpOnly (prevents JS access), Secure (HTTPS only), and SameSite=Lax or Strict on all cookies.
Cross-Origin-Opener-Policy
No Cross-Origin-Opener-Policy (COOP) header found.
Fix: Add Cross-Origin-Opener-Policy: same-origin to isolate your browsing context and protect against cross-origin attacks and Spectre-like vulnerabilities.
Cross-Origin-Embedder-Policy
No Cross-Origin-Embedder-Policy (COEP) header found.
Fix: Add Cross-Origin-Embedder-Policy: require-corp to enable advanced browser isolation features (required for SharedArrayBuffer and high-resolution timers).
Performance & SEO
100/100Fast server response time (TTFB)
Time To First Byte: 224 ms (measured from our scanner server) — excellent.
Response compression enabled
Compression is enabled (gzip) — reduces transfer size and speeds up page loads.
robots.txt present
A robots.txt file was found and is accessible.
XML sitemap present
An XML sitemap was found — helps search engines discover and index your pages.
security.txt present
No security.txt file found at /.well-known/security.txt or /security.txt.
Fix: Create a security.txt file (RFC 9116) at /.well-known/security.txt to provide security researchers with a responsible disclosure contact.
Critical issues (8)
What is this?
HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only ever connect to your site over HTTPS — even if the user types http:// or clicks an http:// link. The browser enforces this locally for the duration of max-age.
Why does it matter?
Even with an HTTP redirect in place, the very first request could go over HTTP before being redirected. A network attacker could intercept that first request (SSL stripping attack). HSTS prevents this by making the browser upgrade to HTTPS before making any request.
How to fix it
Add this header to your HTTPS responses: Strict-Transport-Security: max-age=31536000; includeSubDomains Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Only add HSTS after you are certain your entire site works over HTTPS, including all subdomains if you use includeSubDomains.
What is this?
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP. The page itself is served securely, but some of its resources are not.
Why does it matter?
Mixed active content (scripts, stylesheets) is blocked by modern browsers entirely, breaking the page. Mixed passive content (images) triggers a "Not Secure" warning. Even one HTTP resource means the page is not fully secure — the HTTP resource can be intercepted and modified.
How to fix it
Find all HTTP resource URLs in your HTML source and update them to HTTPS. Look for: - <script src="http://..."> - <link href="http://..."> - <img src="http://..."> - background-image: url('http://...') WordPress: use the Better Search Replace plugin to update URLs in the database from http:// to https://. If you can\'t change the resource URL, consider hosting the resource yourself over HTTPS.
What is this?
Content Security Policy (CSP) is a browser security feature that lets you control which resources (scripts, styles, images, fonts) a page is allowed to load, and from which origins.
Why does it matter?
CSP is one of the most effective defences against Cross-Site Scripting (XSS) attacks. Without CSP, an attacker who injects malicious JavaScript into your page can load resources from anywhere, steal session cookies, or redirect users.
How to fix it
Add a Content-Security-Policy header. Start with a report-only policy to detect issues without breaking anything: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; Once tested, switch to enforcing: Content-Security-Policy: default-src 'self'; ... CSP policies can be complex for sites with third-party scripts. Use https://csp-evaluator.withgoogle.com/ to evaluate your policy.
What is this?
X-Frame-Options controls whether your website can be embedded in an <iframe>, <frame>, or <object> on another website.
Why does it matter?
Without this header, attackers can embed your site invisibly in an iframe on a malicious page and trick users into clicking buttons or links without knowing it (clickjacking). This can be used to perform actions on behalf of a logged-in user.
How to fix it
Add one of these response headers: X-Frame-Options: DENY — prevents all framing X-Frame-Options: SAMEORIGIN — allows framing only from the same domain Nginx: add_header X-Frame-Options "SAMEORIGIN" always; Apache: Header always set X-Frame-Options "SAMEORIGIN" Modern alternative: use CSP with frame-ancestors directive: Content-Security-Policy: frame-ancestors 'self';
What is this?
X-Content-Type-Options with the value "nosniff" tells browsers not to guess (sniff) the content type of a response, but to strictly use the Content-Type header the server sends.
Why does it matter?
Without this header, a browser might interpret an uploaded text file as JavaScript if it contains script-like content — a technique attackers can exploit to run malicious code even when file uploads are allowed.
How to fix it
Add this header to all responses: X-Content-Type-Options: nosniff Nginx: add_header X-Content-Type-Options "nosniff" always; Apache: Header always set X-Content-Type-Options "nosniff" Laravel: add to middleware or in .htaccess.
What is this?
The Referrer-Policy header controls how much information about the originating page is included in the Referer header when a user navigates away from your site or when resources are loaded.
Why does it matter?
Without a Referrer-Policy, the full URL of the current page (which may include session tokens, user IDs, or sensitive paths) is sent to external sites in the Referer header. This can leak private information to third-party analytics, CDN providers, or ad networks.
How to fix it
Recommended value: Referrer-Policy: strict-origin-when-cross-origin (sends origin only for cross-origin requests, full URL for same-origin) Nginx: add_header Referrer-Policy "strict-origin-when-cross-origin" always; Apache: Header always set Referrer-Policy "strict-origin-when-cross-origin" Alternatives: no-referrer (most private), same-origin (no cross-origin referrer).
What is this?
HTTP cookies can carry security flags: HttpOnly (prevents JavaScript from reading the cookie, blocking XSS-based session theft), Secure (transmits the cookie only over HTTPS, never plain HTTP), and SameSite (controls cross-site submission, blocking CSRF attacks).
Why does it matter?
Without HttpOnly, malicious scripts injected via XSS can steal session cookies. Without Secure, cookies can leak over HTTP redirects or mixed-content requests. Without SameSite, cookies are sent with cross-site requests, enabling CSRF attacks that make users perform actions without their knowledge.
How to fix it
Add all three flags when setting cookies: Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax PHP: session_set_cookie_params([ 'httponly' => true, 'secure' => true, 'samesite' => 'Lax', ]); Laravel: in config/session.php set: 'http_only' => true, 'secure' => true, 'same_site' => 'lax', Use SameSite=Lax for most sites. Use SameSite=Strict if cross-site links to your site don't need to carry the session.
Warnings (11)
What is this?
CAA (Certification Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
Why does it matter?
Without CAA records, any of the hundreds of trusted CAs worldwide can issue a certificate for your domain. A compromised or rogue CA could issue a fraudulent certificate for your domain, enabling MITM attacks. CAA limits this risk to your chosen CA(s).
How to fix it
Add CAA records to your DNS. Example for Let\'s Encrypt only: 0 issue "letsencrypt.org" For multiple CAs (e.g. Let\'s Encrypt + DigiCert): 0 issue "letsencrypt.org" 0 issue "digicert.com" To also allow wildcard certificates: 0 issuewild "letsencrypt.org" For email notifications on unauthorized issuance attempts: 0 iodef "mailto:security@yourdomain.com" Check current CAA records at: sslmate.com/caa
What is this?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that forces other mail servers to use encrypted TLS connections when delivering email to your domain. Without it, a network attacker could silently strip TLS from email in transit.
Why does it matter?
Email is delivered between servers using SMTP. By default, SMTP tries TLS but falls back to plaintext if TLS is not available — a downgrade attack. MTA-STS prevents this fallback, ensuring all email delivered to your domain is encrypted in transit.
How to fix it
Implementing MTA-STS requires two things: 1. A DNS TXT record at _mta-sts.yourdomain.com: v=STSv1; id=20240101001 2. A policy file hosted at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt Policy file content: version: STSv1 mode: enforce mx: mail.yourdomain.com max_age: 86400 Start with mode: testing to see reports before enforcing. Use mta-sts.io for a guided setup.
What is this?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and have not been tampered with.
Why does it matter?
Without DNSSEC, DNS responses can be forged (DNS cache poisoning / BGP hijacking), redirecting your visitors to a fake server without them knowing. DNSSEC ensures the DNS record they receive is the one you published.
How to fix it
DNSSEC must be enabled at both your DNS registrar and your DNS hosting provider: 1. Enable DNSSEC at your domain registrar (Namecheap, GoDaddy, TransIP, etc.) 2. Enable DNSSEC signing at your DNS host (Cloudflare enables this automatically) 3. The registrar publishes DS records pointing to your zone\'s key If you use Cloudflare: enable DNSSEC with one click in the DNS tab. Note: DNSSEC is difficult to set up incorrectly — misconfiguration can take your domain offline. Follow your registrar\'s guide carefully.
What is this?
Common CMS admin panel paths like /wp-admin or /administrator are publicly accessible without any IP restriction.
Why does it matter?
A publicly accessible admin panel is a target for brute-force attacks and credential stuffing. Attackers continuously scan the web for these paths and run automated login attempts. If credentials are weak or reused, this is how sites get compromised.
How to fix it
Option 1: IP restriction (most secure) Nginx: location /wp-admin { allow your.ip.address; deny all; } Option 2: Two-factor authentication WordPress: install WP 2FA or Google Authenticator plugin Option 3: Move the admin URL (WordPress only) Install WPS Hide Login plugin to change /wp-admin to a custom path Option 4: HTTP Basic Auth as extra layer Add a password prompt before the admin panel is shown
What is this?
The WordPress version number is visible in the HTML source — either in the generator meta tag (<meta name="generator" content="WordPress 6.2">) or in script/style URLs as ?ver=6.2.
Why does it matter?
Knowing the exact WordPress version allows attackers to look up known CVEs (Common Vulnerabilities and Exposures) for that version and target known exploits. Version disclosure is an information leak that makes targeted attacks easier.
How to fix it
Remove the generator meta tag by adding to functions.php: remove_action('wp_head', 'wp_generator'); Remove ?ver= query strings from URLs: function remove_version_strings($src) { if (strpos($src, '?ver=') !== false) { $src = remove_query_arg('ver', $src); } return $src; } add_filter('style_loader_src', 'remove_version_strings'); add_filter('script_loader_src', 'remove_version_strings'); Alternatively use a security plugin like Wordfence or iThemes Security which does this automatically.
What is this?
Subresource Integrity (SRI) is a browser security feature that lets you specify a cryptographic hash for external scripts and stylesheets. The browser refuses to execute the resource if its content does not match the hash.
Why does it matter?
If a CDN you rely on is compromised (a real and recurring attack vector), an attacker can replace your JavaScript library with malicious code that steals user data, injects cryptomining scripts, or performs other attacks. SRI prevents this by making the browser verify the file has not been altered.
How to fix it
Add integrity= and crossorigin= attributes to your external resources: <script src="https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js" integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo=" crossorigin="anonymous" ></script> Generate hashes for any URL at: https://www.srihash.org/ For build tools, use webpack-subresource-integrity or vite-plugin-sri to add hashes automatically during builds.
What is this?
The Server HTTP header is sent by your web server and typically reveals which software and version is running, e.g. "Apache/2.4.29 (Ubuntu)".
Why does it matter?
Exposing the exact server version helps attackers quickly identify known vulnerabilities for that specific version. This is called "information disclosure" and is considered a low-risk but easily preventable issue.
How to fix it
Nginx: In nginx.conf, set: server_tokens off; Apache: In httpd.conf or apache2.conf, set: ServerTokens Prod ServerSignature Off LiteSpeed: In WebAdmin > Server > General, set Server Signature to Hide.
What is this?
Permissions-Policy (formerly Feature-Policy) lets you control which browser features and APIs your site is allowed to use, and whether third-party content embedded in iframes can access them.
Why does it matter?
Without this header, embedded third-party scripts or iframes could theoretically request access to the camera, microphone, geolocation, payment APIs, and more. Restricting these features reduces your attack surface.
How to fix it
Example header that disables features not needed for most sites: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() Nginx: add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; Apache: Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" Only disable features you genuinely don't use. Adding this header is a low-effort, high-value improvement.
Get this report emailed to you
Create a free account to save your scan results, monitor your sites, and get alerted when your score drops.
Show visitors your security score with an embeddable badge. It updates automatically when you rescan.
<a href="https://webcheckapp.com/scan/m8J17vrZCpEU5MLd">
<img src="https://webcheckapp.com/scan/m8J17vrZCpEU5MLd/badge" alt="Security score: 56/100">
</a>