All-in-one free web application security tool. Web application vulnerability and privacy scanner with support for HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, Supercookies, Evercookies. Includes a free SSL/TLS, HTML and HTTP vulnerability scanner and URL malware scanner.
1x1 transparent PNG is frequently used as user tracking mechanism
Category: Social Network
Keywords: apps data make share users others people policy account content cookies provide facebook policies services companies including statement advertising information
Last fetched: 2020-10-07T21:44:23.479812+00:00
HTTP status: 5 Sub-resource URL
Advanced user tracking and fingerprinting techniques are used by websites to bypass privacy protection in web browsers and increase tracking persistence.
b'\x89PNG' … b'IHDR' … b'\x00\x00\x00\x01\x00\x00\x00\x01'
X-Frame-Options: DENY
Instructs the browser if the current website can be embedded in HTML frame by another website. Since this allows the parent website to control the framed page, this creates a potential for data theft attacks ("clickjacking") and most sensitive websites won't allow them to be framed at all (deny
) or just allow parts of them to be embedded in frames created by themselves only (samesite
).
Clickjacking protection is enabled
+2X-XSS-Protection: 0
Controls an Cross-Site Scripting (XSS) filters built into the majority of web browsers. The filter is usually turned on by default anyway, but requirement to set the header to 1
became part of canonical set of "secure" HTTP headers. Over time, vulnerabilities in the "sanitizing" mode filter were found, so 1; mode=block
became the recommended value. Some companies decided that they don't really need a browser-side XSS filter to mess with their web services which are XSS-free anyway and they became consciously disabling the XSS filter by setting the header to 0
.
XSS auditor is disabled
0Strict-Transport-Security: max-age=15552000; preload
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header.
Read more...
HTTP Strict Transport Security is enabled
+2X-Content-Type-Options: nosniff
A non-standard but widely accepted header introduced originally by Microsoft to disable "content sniffing" or heuristic content type discovery in absence or mismatch of a proper HTTP Content-Type
declaration, which led to a number of web attacks. In general, presence of the header with its only defined value of nosniff
is considered as part of a properly secured HTTP response.
Fuzzy content type guessing is disabled
+1Transport Layer Security (TLS) is enabled
+2default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;
Content-Security-Policy
No base-uri
allows attackers to inject base
tags which override the base URI to an attacker-controlled origin. Set to 'none'
unless you need to handle tricky relative URLs scheme
Both upgrade-insecure-requests
and block-all-mixed-content
are present but they are mutually exclusive. The latter will be ignored
Policy that has script-src
but not object-src
(or default-src: 'none'
allows script execution by injecting plugin resources. Please read our CSP guidance for more details for more details
The default-src data:
origin allows bypassing CSP and execution of inlined untrusted scripts
The script-src data:
origin allows bypassing CSP and execution of inlined untrusted scripts
You should definitely try using 'strict-dynamic'
to eliminate those long lists of trusted third-party scripts
Consider using script-src 'report-sample'
as it significantly helps debugging CSP reports. See specification
Origin script-src 'unsafe-inline'
allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-'
or 'sha256-'
instead
Origin script-src 'unsafe-eval'
allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-'
or 'sha256-'
instead
Origin style-src 'unsafe-inline'
allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-'
or 'sha256-'
instead
Want second opinion? Try Google CSP Evaluator.