All-in-one free web application security tool. Web application vulnerability and privacy scanner with support for HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, Supercookies, Evercookies. Includes a free SSL/TLS, HTML and HTTP vulnerability scanner and URL malware scanner.
Category: Technology
Keywords:
Last fetched: 2020-08-28T10:29:37.177580+00:00
HTTP status: 5 Sub-resource URL
Access-Control-Allow-Origin: https://www.westernunion.ru
Controls origins (websites) that are allowed to load data from this web service over JavaScript-based APIs as part of Cross-Origin Resource Sharing (CORS) standard. By default, a web browser will refuse to load data over XmlHttpRequest
from a website that is not in the same origin, which is a precaution against various types of data stealing attacks. The target server has to explicitly allow the origin domain using the Access-Control-Allow-Origin
(ACAO) header, or it may allow all origins to access it using a wildcard *
. The latter however creates a potential security issue if the website in question is transactional and processing sensitive data, so the wildcard should be only used on websites consciously offering public APIs.
Location: https://dpm.demdex.net/id/rd?d_visid_ver=4.4.0&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_verify=1&d_orgid=AACD3BC75245B4940A490D4D%40AdobeOrg&d_nsid=0&ts=1598610574207
The HTTP Location header is being returned by a server to redirect the web browser to a new URL of the requested resource. The URL may be relative (/index.html
) or absolute (https://example.com
).
P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT"
Largely abandoned format for declaring website's privacy policy in machine-readable format. The only reason for many websites to use the header was that old versions of Microsoft Internet Explorer disallowed third-party cookies on websites missing P3P.
Read more...
P3P is a mostly abandoned standard for website privacy policy declaration that has little use today. Please consider switching to DoNotTrack standard.
0Strict-Transport-Security: max-age=31536000; includeSubDomains
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header.
Read more...
HTTP Strict Transport Security is enabled
+2Transport Layer Security (TLS) is enabled
+2X-Frame-Options
header is missing
X-XSS-Protection
header is missing
X-Content-Type-Options
header is missing