|
|
|
Scout Scan
|
|
yourdomain.com
|
|
Hosted on Vercel · Next.js · Google Analytics 4 · SSL: Let's Encrypt
|
|
Security
F
| Critical |
1 |
| High |
2 |
| Medium |
1 |
| Low |
2 |
|
Performance
C
| Performance |
C |
| Accessibility |
C |
| Best Practices |
D |
| SEO |
A |
|
|
|
This site has a critical exposure and multiple security gaps. The admin panel is publicly accessible, email authentication is missing, and several security headers are not configured. Performance scored a C (58/100). Main issues: render-blocking resources delaying first paint, oversized images adding unnecessary load time, and no caching policy on static assets. Accessibility scored a C with missing form labels and low contrast text.
|
|
|
|
Critical Findings
1
|
|
Admin panel exposed at /admin
Your admin dashboard is publicly accessible with no authentication. Anyone on the internet can access it and make changes to your site.
|
|
High Findings
2
|
|
Content-Security-Policy header missing
Your site has no rules telling browsers what code is allowed to run on it. If a hacker gets a script onto your page through a plugin, a comment box, or a compromised ad network, your visitors' browsers will run it without question. This is the most common way user sessions get hijacked and visitors get redirected to fake login pages.
|
|
SPF record missing
There is no SPF record on your domain, which means anyone can send email pretending to be from you. This makes phishing attacks against your customers trivially easy and causes your legitimate emails to be flagged as spam.
|
|
Medium Findings
1
|
|
DMARC policy is p=none - no enforcement
Your DMARC record exists but is set to monitoring mode only. Spoofed emails from your domain are still delivered to recipients - the policy does nothing to block them.
|
|
Low Findings
2
|
|
X-Frame-Options header missing
Other websites can embed your site invisibly inside their own pages and trick visitors into clicking buttons they can't see - like "confirm payment" or "grant access". This technique is called clickjacking and requires a one-line fix.
|
|
DKIM record not found
Emails sent from your domain aren't digitally signed. There's no way for receiving mail servers to verify a message actually came from you, which makes spoofing easier and can cause your legitimate emails to land in spam.
|
|
|
|
|
|
|
Performance Issues
C
|
|
Eliminate render-blocking resources
Some files must finish downloading before your page shows anything to visitors. Loading these in the background would make the page appear faster.
Potential savings of 1,800 ms
|
F |
|
Properly size images
Your images are significantly larger than they need to be. Compressing or resizing them would reduce page weight and speed up load time for every visitor.
Potential savings of 680 KB
|
D |
|
Avoid serving legacy JavaScript to modern browsers
Your site sends compatibility code for old browsers that most of your visitors don't need. Removing it would reduce the amount of code every visitor has to download.
Potential savings of 42 KB
|
D |
|
Accessibility Issues
C
|
|
Form elements do not have associated labels
Some form fields don't have labels, so screen reader users can't tell what to type in them.
|
F |
|
Background and foreground colors do not have a sufficient contrast ratio
Some text on your page doesn't have enough contrast against its background, making it difficult to read for users with visual impairments.
|
F |
|
Best Practices Issues
D
|
|
Browser errors were logged to the console
Your page is generating background JavaScript errors. While visitors may not notice right away, these indicate broken functionality.
6 errors
|
F |
|
Uses third-party cookies
Your site uses third-party cookies that browsers are increasingly blocking by default. This may break features for some visitors.
|
F |
|
|
Significant security issues found. This site has multiple exploitable gaps. RedPen Triage will get you to a safe baseline with prioritized fixes and implementation support.
|
|
RedPen Complete Triage fixes every security and performance issue above - with fix PRs included.
Fix my site - Complete Triage from $500
|
|
RedPen Security - redpen.sh
|