Mixed Content Image FAIL
Image loaded over plain HTTP:
This page contains a mix of secure and insecure elements for testing security scanners.
| Check | Expected | Why |
|---|---|---|
| X-Content-Type-Options | PASS | Header set to nosniff |
| Referrer-Policy | PASS | Header set to strict-origin-when-cross-origin |
| Permissions-Policy | PASS | Restrictive policy set |
| Subresource Integrity | PASS | SRI hash on normalize.css |
| HTTPS (page itself) | PASS | Served over HTTPS by Cloudflare |
| Content-Security-Policy | FAIL | No CSP header set |
| Strict-Transport-Security | FAIL | No HSTS header set |
| X-Frame-Options | FAIL | No clickjacking protection |
| Mixed Content | FAIL | jQuery loaded over HTTP |
| Inline Scripts | FAIL | Inline <script> block present |
| CSRF Protection | FAIL | Login form has no CSRF token |
| Secure Cookies | FAIL | session_prefs cookie missing Secure/HttpOnly |
| Open Redirect | FAIL | /redirect?url= accepts arbitrary URLs |
| Information Disclosure | FAIL | /api/info exposes server details |
| Autocomplete on Password | FAIL | Password field has autocomplete="on" |
No CSRF token. Password field allows autocomplete.
Image loaded over plain HTTP:
Image loaded over HTTPS:
The /redirect?url= endpoint redirects to any URL without validation:
The /api/info endpoint exposes internal server details: