All-in-one free web application security tool. Web application vulnerability and privacy scanner with support for HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, Supercookies, Evercookies. Includes a free SSL/TLS, HTML and HTTP vulnerability scanner and URL malware scanner.
Category: Search Engine
Keywords: qwant
Last fetched: 2019-11-21T11:53:09.325488+00:00
HTTP status: 5 Sub-resource URL
X-Frame-Options: SAMEORIGIN
Instructs the browser if the current website can be embedded in HTML frame by another website. Since this allows the parent website to control the framed page, this creates a potential for data theft attacks ("clickjacking") and most sensitive websites won't allow them to be framed at all (deny
) or just allow parts of them to be embedded in frames created by themselves only (samesite
).
Clickjacking protection is enabled
+2Strict-Transport-Security: max-age=31536000 ; includeSubdomains ; preload
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header.
Read more...
HTTP Strict Transport Security is enabled
+2X-XSS-Protection: 1; mode=block
Controls an Cross-Site Scripting (XSS) filters built into the majority of web browsers. The filter is usually turned on by default anyway, but requirement to set the header to 1
became part of canonical set of "secure" HTTP headers. Over time, vulnerabilities in the "sanitizing" mode filter were found, so 1; mode=block
became the recommended value. Some companies decided that they don't really need a browser-side XSS filter to mess with their web services which are XSS-free anyway and they became consciously disabling the XSS filter by setting the header to 0
.
XSS auditor is enabled in blocking mode
+1X-Content-Type-Options: nosniff
A non-standard but widely accepted header introduced originally by Microsoft to disable "content sniffing" or heuristic content type discovery in absence or mismatch of a proper HTTP Content-Type
declaration, which led to a number of web attacks. In general, presence of the header with its only defined value of nosniff
is considered as part of a properly secured HTTP response.
Fuzzy content type guessing is disabled
+1Server: Qwant
Announces web server software and optionally version details.
Read more...Transport Layer Security (TLS) is enabled
+2frame-ancestors *.qwant.com *.qwantjunior.com lmqt.fyi; media-src blob: *.qwant.com *.apple.com *.qobuz.com; style-src 'unsafe-inline' data: *.qwant.com *.qwantjunior.com *.kamoov.com; worker-src blob: 'self' www.youtube-nocookie.com www.youtube.com; base-uri 'self'; block-all-mixed-content; img-src blob: 'self' s1.qwant.com s2.qwant.com s.qwant.com data: s-boards.qwant.com s-lite.qwant.com www.qwant.com; form-action 'self'; frame-src viewer.dood3d.com *.vid.web.acsta.net player.twitch.tv player.vimeo.com www.dailymotion.com *.qwant.com *.qwantjunior.com www.youtube-nocookie.com *.tvlocale.fr *.smartrezo.com *.femmesetcitoyennete.fr *.jeunesreporterssansfrontieres.fr *.medias-francophones.com *.trendy-community.fr *.tvcitoyenne.com *.veitech.com *.localetv.eu player.myvideoplace.tv; object-src 'self'; default-src 'self' data: blob:; connect-src *.qobuz.com *.apple.com wss://masq-ws.qwant.com *.qwant.com extras.qwantjunior.com; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' data: *.qwant.com; font-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.qwant.com;
Content-Security-Policy
Origin style-src 'unsafe-inline'
allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-'
or 'sha256-'
instead
The default-src data:
origin allows bypassing CSP and execution of inlined untrusted scripts
Origin script-src-elem 'unsafe-inline'
allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-'
or 'sha256-'
instead
Origin script-src-elem 'unsafe-eval'
allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-'
or 'sha256-'
instead
The script-src data:
origin allows bypassing CSP and execution of inlined untrusted scripts
You should definitely try using 'strict-dynamic'
to eliminate those long lists of trusted third-party scripts
Consider using script-src 'report-sample'
as it significantly helps debugging CSP reports. See specification
Origin script-src 'unsafe-inline'
allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-'
or 'sha256-'
instead
Origin script-src 'unsafe-eval'
allows bypassing of CSP and execution of inlined untrusted scripts. Use 'nonce-'
or 'sha256-'
instead
Want second opinion? Try Google CSP Evaluator.
The website uses the following advertisement publisher ids: