|
|
| 1. General Results, most used to calculate the result |
| A | name "177.72.126.206" is ipv4 address, public suffix is not defined
|
| A | Good: All ip addresses are public addresses
|
| A | Good: destination is https
|
| A | Good - only one version with Http-Status 200
|
| A | Good: every https has a Strict Transport Security Header
|
| A | Good: HSTS max-age is long enough, 31536000 seconds = 365 days
|
| A | Good: Some urls with http status 200/404 have a complete Content-Type header (MediaType / MediaSubType + correct charset):0 complete Content-Type - header (2 urls)
|
| https://177.72.126.206/ 177.72.126.206
|
| Url with incomplete Content-Type - header - missing charset
|
| https://177.72.126.206/ 177.72.126.206
|
| Url with incomplete Content-Type - header - missing charset
|
| N | https://177.72.126.206/ 177.72.126.206
|
| Error - Certificate isn't trusted, RemoteCertificateNameMismatch
|
| B | No _mta-sts TXT record found (mta-sts: Mail Transfer Agent Strict Transport Security - see RFC 8461). Read the result of server-daten.de (Url-Checks, Comments, Connections and DomainServiceRecords) to see a complete definition. Domainname: _mta-sts.177.72.126.206
|
| 2. Header-Checks |
| A | 177.72.126.206 177.72.126.206
| Content-Security-Policy
| Ok: Header without syntax errors found: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
|
| F |
|
| Bad: Missing default-src directive. A default-src directive is used if one of the specialized fetch directives (child-src, connect-src, font-src, frame-src, img-src, manifest-src, media-src, object-src, prefetch-src, script-src, style-src, worker-src) isn't defined. Missing default-src, all sources are allowed, that's bad. A default-src with 'none' or 'self' blocks that.
|
| E |
|
| Bad: No form-action directive found. Use one to limit the form - action - destinations. form-action is a navigation-directive, so default-src isn't used.
|
| A |
|
| Good: frame-ancestors directive found. That limits pages who are allowed to use this page in a frame / iframe / object / embed / applet. frame-ancestors is a navigation-directive, so default-src isn't used.
|
| E |
|
| Bad: No base-uri directive found. Use one to limit the URLs which can be used in a document's <base> element. Because it's a document directive, default-src isn't used, so an own directive is required.
|
| A |
|
| Good: object-src only with 'none' or 'self' found, no scheme, no other urls. That blocks object / embed / applet - elements.
|
| F |
|
| Critical: script-src with 'unsafe-inline' or 'unsafe-eval' and without a nonce found. That's dangerous, don't use it. If you really need one of these unsafe directives, add a nonce.
|
| F |
|
| Critical: script-src with * or a scheme found. Never allow wildcard - sources.
|
| A |
|
| Good: script-src without data: schema found. Why is this important? The data: schema allows hidden code injection. Insert <script src='data:application/javascript;base64,YWxlcnQoJ1hTUycpOw=='></script> in your page and see what happens.
|
| A |
| X-Content-Type-Options
| Ok: Header without syntax errors found: nosniff
|
| A |
| X-Frame-Options
| Ok: Header without syntax errors found: SAMEORIGIN
|
| B |
|
| Info: Header is deprecated. May not longer work in modern browsers. SAMEORIGIN. Better solution: Use a Content-Security-Policy Header with a frame-ancestors directive. DENY - use 'none', SAMEORIGIN - use 'self'. If you want to allow some domains to frame your page, add these urls.
|
| A |
| X-Xss-Protection
| Ok: Header without syntax errors found: 1; mode=block
|
| B |
|
| Info: Header is deprecated. May not longer work in modern browsers. 1; mode=block
|
| F | 177.72.126.206 177.72.126.206
| Referrer-Policy
| Critical: Missing Header:
|
| F | 177.72.126.206 177.72.126.206
| Permissions-Policy
| Critical: Missing Header:
|
| B | 177.72.126.206 177.72.126.206
| Cross-Origin-Embedder-Policy
| Info: Missing Header
|
| B | 177.72.126.206 177.72.126.206
| Cross-Origin-Opener-Policy
| Info: Missing Header
|
| B | 177.72.126.206 177.72.126.206
| Cross-Origin-Resource-Policy
| Info: Missing Header
|
| 3. DNS- and NameServer - Checks |
| 4. Content- and Performance-critical Checks |
| http://177.72.126.206/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 177.72.126.206
|
| Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
|
| https://177.72.126.206/ 177.72.126.206
|
| Warning: Https + http status 200 + Inline CSS / JavaScript found. Don't use inline CSS / JavaScript. These are compiled and re-used ressources, save these with a long Cache-Control max-age - header.
|
| https://177.72.126.206/ 177.72.126.206
|
| Warning: Https + http status 200 + Inline CSS / JavaScript found. Don't use inline CSS / JavaScript. These are compiled and re-used ressources, save these with a long Cache-Control max-age - header.
|
| A | Good: Every https result with status 200 has a minified Html-Content with a quota lower then 110 %.
|
| https://177.72.126.206/ 177.72.126.206
|
| Warning: Https connections (Standard Port 443) found without support of the http/2 protocol via ALPN. Http/2 is the new Http-Version (old: http 1.1) with some important new features. Update your server software so http/2 is available. Only one TCP-connection per Server (that's a performance boost), Header-Compression and Server Pushs are available. Domain Sharding and Inline-CSS/Javascript shouldn't used with http/2.
|
| https://177.72.126.206/ 177.72.126.206
|
| Warning: Https connections (Standard Port 443) found without support of the http/2 protocol via ALPN. Http/2 is the new Http-Version (old: http 1.1) with some important new features. Update your server software so http/2 is available. Only one TCP-connection per Server (that's a performance boost), Header-Compression and Server Pushs are available. Domain Sharding and Inline-CSS/Javascript shouldn't used with http/2.
|
| A | Info: No img element found, no alt attribute checked
|
| A | Duration: 50210 milliseconds, 50.210 seconds
|
%22%20style=%22background-color:rgb(255,255,255)%22%3e%3c/svg%3e)