| 1. General Results, most used to calculate the result |
A | name "200.124.203.117" is ipv4 address, public suffix is not defined
|
A | Good: All ip addresses are public addresses
|
A | https://almuerzos.adium.com.uy/
| https://almuerzos.adium.com.uy/Account/Login
| Correct redirect https to https
|
A | Good: destination is https
|
A | Good - only one version with Http-Status 200
|
A | Good: one preferred version: non-www is preferred
|
A | Good: No cookie sent via http.
|
A | Good: Every cookie has a SameSite Attribute with a correct value Strict/Lax/None
|
A | Good: every https has a Strict Transport Security Header
|
A | Good: HSTS max-age is long enough, 63072000 seconds = 730 days
|
A | Good: All urls with http status 200/404 have a complete Content-Type header (MediaType / MediaSubType + correct charset)
|
B | https://almuerzos.adium.com.uy/
| max-age=63072000; includeSubDomains,max-age=2592000
| Critical: HSTS-Header has Parse-Errors. Comma found, but Comma not allowed. Perhaps more then one HSTS-Header., Unknown directive found. Only max-age (with value), includeSubdomains or preload allowed.
|
B | https://almuerzos.adium.com.uy/Account/Login
| max-age=63072000; includeSubDomains,max-age=2592000
| Critical: HSTS-Header has Parse-Errors. Comma found, but Comma not allowed. Perhaps more then one HSTS-Header., Unknown directive found. Only max-age (with value), includeSubdomains or preload allowed.
|
B | https://almuerzos.adium.com.uy/Account/Login
| .AspNetCore.Identity.Application=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax
| Cookie sent via https, but not marked as secure
|
B | https://almuerzos.adium.com.uy/Account/Login
| Identity.External=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax
| Cookie sent via https, but not marked as secure
|
B | https://almuerzos.adium.com.uy/Account/Login
| Identity.TwoFactorUserId=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax
| Cookie sent via https, but not marked as secure
|
B | https://almuerzos.adium.com.uy/Account/Login
| .AspNetCore.Antiforgery.2AI3wenIwVY=CfDJ8AxkB3TSmdNGguoGQM7dakmev8XRittB2BAydlC_-bOskCwk7zwHIHSxC5d3eB_A5TglLIzkHdwx-UL6_Lf5wopSf_eUxfaly9q_b7CJ3Bii8CZBITHOPpmNQ3BbqbHDbC3KEqEms2csZOH2I5v6dEg; path=/; samesite=strict; httponly
| Cookie sent via https, but not marked as secure
|
E | http://200.124.203.117/ 200.124.203.117
| https://almuerzos.adium.com.uy/
| Wrong redirect one domain http to other domain https. First redirect to https without new dns query, so the server can send the HSTS header. That's fundamental using HSTS (Http Strict Transport Security). First step: Add correct redirects http ⇒ https. Perhaps in your port 80 vHost something like "RewriteEngine on" + "RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]" (two rows, without the "). Don't add this in your port 443 vHost, that would create a loop. Then recheck your domain, should be Grade C. There is the rule to select one https version as preferred version.
|
I | https://almuerzos.adium.com.uy/Account/Login
|
| Content problems or problems with resources included - http links, files doesn't exist, different Content-Type definitions. Check the Html-Content - Part.
|
M | https://200.124.203.117/ 200.124.203.117
|
| Misconfiguration - main pages should never send http status 400 - 499
|
M | https://200.124.203.117/ 200.124.203.117
|
| Misconfiguration - main pages should never send http status 400 - 499
|
N | https://200.124.203.117/ 200.124.203.117
|
| Error - Certificate isn't trusted, RemoteCertificateNameMismatch
|
N | https://200.124.203.117/ 200.124.203.117
|
| Error - Certificate isn't trusted, RemoteCertificateNameMismatch
|
B | No _mta-sts TXT record found (mta-sts: Mail Transfer Agent Strict Transport Security - see RFC 8461). Read the result of server-daten.de (Url-Checks, Comments, Connections and DomainServiceRecords) to see a complete definition. Domainname: _mta-sts.200.124.203.117
|
| 2. Header-Checks (Cross-Origin-* headers are alpha - started 2024-06-05) |
A | 200.124.203.117 200.124.203.117
| X-Content-Type-Options
| Ok: Header without syntax errors found: nosniff
|
A |
| X-Frame-Options
| Ok: Header without syntax errors found: SAMEORIGIN
|
B |
|
| Info: Header is deprecated. May not longer work in modern browsers. SAMEORIGIN. Better solution: Use a Content-Security-Policy Header with a frame-ancestors directive. DENY - use 'none', SAMEORIGIN - use 'self'. If you want to allow some domains to frame your page, add these urls.
|
A |
| X-Xss-Protection
| Ok: Header without syntax errors found: 1; mode=block
|
B |
|
| Info: Header is deprecated. May not longer work in modern browsers. 1; mode=block
|
A | almuerzos.adium.com.uy
| X-Content-Type-Options
| Ok: Header without syntax errors found: nosniff
|
F |
| X-Frame-Options
| Critical: Header with syntax errors found: SAMEORIGIN,SAMEORIGIN
|
B |
|
| Info: Header is deprecated. May not longer work in modern browsers. SAMEORIGIN,SAMEORIGIN. Better solution: Use a Content-Security-Policy Header with a frame-ancestors directive. DENY - use 'none', SAMEORIGIN - use 'self'. If you want to allow some domains to frame your page, add these urls.
|
F |
|
| Critical: Duplicated values found. Looks like the page sends multiple headers with the same name. SAMEORIGIN,SAMEORIGIN
|
F |
|
| Critical: Unknown token found. Standard-token with additional characters are not defined. SAMEORIGIN,SAMEORIGIN
|
F |
|
| Critical: Unknown token found. Standard-token with additional characters are not defined. SAMEORIGIN,SAMEORIGIN
|
A |
| X-Xss-Protection
| Ok: Header without syntax errors found: 1; mode=block
|
B |
|
| Info: Header is deprecated. May not longer work in modern browsers. 1; mode=block
|
F | 200.124.203.117 200.124.203.117
| Content-Security-Policy
| Critical: Missing Header:
|
F | 200.124.203.117 200.124.203.117
| Referrer-Policy
| Critical: Missing Header:
|
F | 200.124.203.117 200.124.203.117
| Permissions-Policy
| Critical: Missing Header:
|
B | 200.124.203.117 200.124.203.117
| Cross-Origin-Embedder-Policy
| Info: Missing Header
|
B | 200.124.203.117 200.124.203.117
| Cross-Origin-Opener-Policy
| Info: Missing Header
|
B | 200.124.203.117 200.124.203.117
| Cross-Origin-Resource-Policy
| Info: Missing Header
|
F | almuerzos.adium.com.uy
| Content-Security-Policy
| Critical: Missing Header:
|
F | almuerzos.adium.com.uy
| Referrer-Policy
| Critical: Missing Header:
|
F | almuerzos.adium.com.uy
| Permissions-Policy
| Critical: Missing Header:
|
B | almuerzos.adium.com.uy
| Cross-Origin-Embedder-Policy
| Info: Missing Header
|
B | almuerzos.adium.com.uy
| Cross-Origin-Opener-Policy
| Info: Missing Header
|
B | almuerzos.adium.com.uy
| Cross-Origin-Resource-Policy
| Info: Missing Header
|
| 3. DNS- and NameServer - Checks |
| 4. Content- and Performance-critical Checks |
| Fatal: All checks of /.well-known/acme-challenge/random-filename have a redirect, destination doesn't have the random filename. Creating a Letsencrypt certificate via http-01 challenge may not work. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.
|
A | Good: Every https result with status 200 and greater 1024 Bytes is compressed (gzip, deflate, br checked).
|
| https://almuerzos.adium.com.uy/Account/Login
|
| Warning: Https + http status 200 + Inline CSS / JavaScript found. Don't use inline CSS / JavaScript. These are compiled and re-used ressources, save these with a long Cache-Control max-age - header.
|
| https://almuerzos.adium.com.uy/Account/Login
|
| Warning: Https result with status 200 found, Html-Content is too big. Should be max. 110 %. May contain inline CSS / JavaScript, too much comments or white space. Re-used ressources - create files with a long Cache-Control max-age header. Remove comments and white space.
|
A | Good: Every https connection via port 443 supports the http/2 protocol via ALPN.
|
| https://almuerzos.adium.com.uy/Account/Login
|
| Critical: Some script Elements (type text/javascript) with a src-Attribute don't have a defer / async - Attribute. Loading and executing these JavaScripts blocks parsing and rendering the Html-Output. That's bad if your site is large or the connection is slow / mobile usage. Use "async" if the js file has only functions (so nothing is executed after parsing the file) or is independend. Use "defer" if the order of the scripts is important. All "defer" scripts are executed before the DOMContentLoaded event is fired. Check https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script to see some details.: 4 script elements without defer/async.
|
A | Good: All CSS / JavaScript files are sent compressed (gzip, deflate, br checked). That reduces the content of the files. 7 external CSS / JavaScript files found
|
A | Good: All images with internal compression not compressed. Some Images (.png, .jpg, .jpeg, .webp, .gif) are already compressed, so an additional compression isn't helpful. 1 images (type image/png, image/jpg, image/jpeg, image/webp, image/gif) found without additional Compression. Not required because these images are already compressed
|
| Warning: CSS / JavaScript files with a missing or too short Cache-Control header found. Browsers should cache and re-use these files. 6 external CSS / JavaScript files without Cache-Control-Header, 0 with Cache-Control, but no max-age, 1 with Cache-Control max-age too short (minimum 7 days), 0 with Cache-Control long enough, 7 complete.
|
| Warning: Images with a missing or too short Cache-Control header found. Browsers should cache and re-use these files. 1 image files without Cache-Control-Header, 0 with Cache-Control, but no max-age, 0 with Cache-Control max-age too short (minimum 7 days), 0 with Cache-Control long enough, 1 complete.
|
A | Good: All checked attribute values are enclosed in quotation marks (" or ').
|
| Wrong: img-elements without alt-attribute or empty alt-attribute found. The alt-attribute ("alternative") is required and should describe the img. So Screenreader and search engines are able to use these informations.: 1 img-elements without alt-attribute, 0 img-elements with empty alt-attribute found.
|
| https://almuerzos.adium.com.uy/
| Strict-Transport-Security: max-age=63072000; includeSubDomains,max-age=2592000
| Parse Error - Header can't be parsed
|
| https://almuerzos.adium.com.uy/Account/Login
| Strict-Transport-Security: max-age=63072000; includeSubDomains,max-age=2592000
| Parse Error - Header can't be parsed
|
| https://200.124.203.117/ 200.124.203.117
| 9.040 seconds
| Warning: 404 needs more then one second
|
| https://200.124.203.117/ 200.124.203.117
| 7.853 seconds
| Warning: 404 needs more then one second
|
A | Info: Different Server-Headers found
|
A | Duration: 60143 milliseconds, 60.143 seconds
|