Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://www.arkoselabs.com/
Scan Date: Feb. 15, 2026, 3:03 p.m. | Duration: 23.8 seconds
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Risk Rating
Overall Risk Rating
A (89/100)
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 0 |
| Medium | 0 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 2 |
| Medium | 1 |
| Low | 3 |
Scan Summary
| 1 | Input Hostname | arkoselabs.com |
| 2 | Scan Start Time | Feb. 15, 2026, 3:03 p.m. |
| 3 | Scan Duration | 23.8 seconds |
| 4 | Total Test Cases | 50 |
Target Information
| 1 | Target URL | https://www.arkoselabs.com/ |
| 2 | IP Address | 108.158.46.123 |
| 3 | Hosting Provider | Amazon Web Services (AWS) |
| 4 | Registrar | Not Available |
| 5 | Programming Language | acorn 5.0.5 (laravel 12.16.0) |
| 6 | Web Server | nginx |
| 7 | Operating System | Linux/Unix |
| 8 | HTTPS Enabled | Yes |
| 9 | WAF Detected | ['AWS WAF'] |
Original Header Response
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Date: Sun, 15 Feb 2026 09:30:19 GMT
Content-Encoding: gzip
X-Cache-Group: normal
Cache-Control: max-age=600, must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob:
Cross-Origin-Resource-Policy: cross-origin
Link: <https://www.arkoselabs.com/wp-json/>; rel="https://api.w.org/", <https://www.arkoselabs.com/wp-json/wp/v2/pages/32448>; rel="alternate"; title="JSON"; type="application/json", <https://www.arkoselabs.com/>; rel=shortlink
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(self "https://www.youtube.com" "https://player.vimeo.com"), battery=(), browsing-topics=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self "https://www.youtube.com" "https://player.vimeo.com"), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(self "https://www.youtube.com" "https://player.vimeo.com"), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()
Referrer-Policy: origin-when-cross-origin
Strict-Transport-Security: max-age=31536000;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: Acorn 5.0.5 (Laravel 12.16.0)
X-Cacheable: SHORT
Vary: Accept-Encoding,Accept-Encoding,Accept-Encoding,Accept-Encoding,Cookie
X-Cache: Hit from cloudfront
Via: 1.1 153a29b6f73d1188a3a2c0797369516a.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: BOM78-P4
Alt-Svc: h3=":443"; ma=86400
X-Amz-Cf-Id: ho1YthzEGCJH3e2D-ck52LKG3W8-Vnesi8gX1KsYQ2sFNsIhEBz5IQ==
Age: 170
Network & Infrastructure Reconnaissance
| Inline Connection | Yes |
| IP Address | 108.158.46.123 |
| Cloud Provider Detection | Amazon Web Services (AWS) |
| Server Disclosure | nginx |
| Operating System Detection | Linux/Unix |
| Open Ports Scan | 443, 80 |
| WAF Detection | AWS WAF |
| SSL Certificate Validation | Certificate is valid |
Application Stack & Technology Fingerprinting
| CMS Detection | WordPress |
Transport Layer Security (TLS) & Encryption
| Secure Connection Check (HTTPS) | Yes |
HTTP Security Headers Analysis
| CSP Header Analysis | |
| X-Frame-Options Missing | Properly Configured |
| X-XSS-Protection Missing | Missing x-xss-protection header |
Session & Cookie Security
| Missing Cookie HTTPOnly Flag |
Missing HttpOnly flag in cookies High
Cookies accessible by JavaScript can be stolen via XSS. Solution: Set the HttpOnly flag to prevent client-side script access. |
| Missing Cookie Secure Flag |
Missing Secure flag in cookies High
Cookies without the Secure flag may be sent over unencrypted connections. Solution: Enable the Secure flag for all session or sensitive cookies. |
Sensitive Resource & File Exposure
| Secret Files Detection |
Information Disclosure & Error Handling
| Cross-Domain Inclusion |
|
Application Surface & Method Exposure
| Allowed HTTP Methods | GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD |
| Enabled Debug Method | No |
| Enabled OPTIONS Method | Yes |
Email & Domain Security Configuration
| DKIM Configuration |
N/A Info
No description available. Solution: No solution provided. |
| DMARC Policy Validation | v=DMARC1; p=reject; rua=mailto:postmaster@arkoselabs.com; ruf=mailto:postmaster@arkoselabs.com |
Abuse & Rate-Limiting Controls
| Rate-Limit Headers Detection |
Missing Rate Limit header Medium
Improper control of resource consumption may enable brute-force or DoS attacks. Solution: Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
Findings – CVE (Common Vulnerabilities and Exposures)
No CVE vulnerabilities found.
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 1 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 2 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 3 | Missing Rate Limit header | CWE-770 | Medium | Improper control of resource consumption may enable brute-force or DoS attacks. | Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
| 4 | Missing Header: X-XSS-PROTECTION | N/A | Low | The security header X-XSS-PROTECTION is missing. | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 5 | Missing Header: X-PERMITTED-CROSS-DOMAIN | N/A | Low | The security header X-PERMITTED-CROSS-DOMAIN is missing. | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 6 | X Xss Protection | N/A | Low | Missing x-xss-protection header | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 7 | Cms | N/A | Info | WordPress | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 8 | Programming Language | N/A | Info | acorn 5.0.5 (laravel 12.16.0) | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 9 | Csp Header Analysis | N/A | Info | Misconfigured | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 10 | X Frame Options | N/A | Info | Properly Configured | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 11 | Dmarc | N/A | Info | v=DMARC1; p=reject; rua=mailto:postmaster@arkoselabs.com; ruf=mailto:postmaster@arkoselabs.com | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
Scan Test Cases
| Sr. No | Test Case |
|---|---|
| 1 | Inline Connection |
| 2 | Ip-Address |
| 3 | Cloud_Provider |
| 4 | Server Disclosure |
| 5 | Technology Disclosure |
| 6 | Cms Detection |
| 7 | Mixed Content Analysis |
| 8 | Operating-System |
| 9 | Open Ports Scan |
| 10 | Database |
| 11 | Javascript Libraries |
| 12 | Secure Connection Check |
| 13 | Directories Listing Exposed |
| 14 | Password Exposing Pages |
| 15 | Missing Security Headers |
| 16 | Missing Content-Security-Policy |
| 17 | Missing Strict-Transport-Security |
| 18 | Missing Referrer-Policy |
| 19 | Missing X-Content-Type-Options |
| 20 | Missing Cookie http flag |
| 21 | Missing Cookie secure flag |
| 22 | Secret Files Detection |
| 23 | Security File Detection |
| Sr. No | Test Case |
|---|---|
| 24 | WAF-Detection |
| 25 | SSL Certificate Validation |
| 26 | Loose Cookie Domain |
| 27 | CSP Header Analysis |
| 28 | OpenAPI Disclosure |
| 29 | Password Leak Detection |
| 30 | Path Disclosure |
| 31 | Error Messages Analysis |
| 32 | Rate Limit Headers |
| 33 | Email Extraction |
| 34 | Xml-RPC Endpoint Detection |
| 35 | HTTP Methods Allowed |
| 36 | Enabled Debug Method |
| 37 | Enabled OPTIONS Method |
| 38 | Cross-Domain Inclusion |
| 39 | File Upload Detection |
| 40 | Client Access Policies |
| 41 | X-FRAME OPTIONS |
| 42 | X-XSS PROTECTION |
| 43 | .htaccess Exposure |
| 44 | Captcha Detection |
| 45 | Password field with autocomplete |
| 46 | DKIM |
| 47 | SPF |
| 48 | DMARC |
| 49 | Host Header Injection |
| 50 | Unencrypted Viewstate |
Raw JSON Response
{
"host": "arkoselabs.com",
"host_url": "https://www.arkoselabs.com/",
"task_id": "b19e48d5-e7f1-48f5-a1b2-e8f25c01c1cb",
"status": "COMPLETED",
"inline_connection": "Yes",
"original_header": {
"Content-Type": "text/html; charset=UTF-8",
"Transfer-Encoding": "chunked",
"Connection": "keep-alive",
"Server": "nginx",
"Date": "Sun, 15 Feb 2026 09:30:19 GMT",
"Content-Encoding": "gzip",
"X-Cache-Group": "normal",
"Cache-Control": "max-age=600, must-revalidate",
"Content-Security-Policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob:",
"Cross-Origin-Resource-Policy": "cross-origin",
"Link": "<https://www.arkoselabs.com/wp-json/>; rel=\"https://api.w.org/\", <https://www.arkoselabs.com/wp-json/wp/v2/pages/32448>; rel=\"alternate\"; title=\"JSON\"; type=\"application/json\", <https://www.arkoselabs.com/>; rel=shortlink",
"Permissions-Policy": "accelerometer=(), ambient-light-sensor=(), autoplay=(self \"https://www.youtube.com\" \"https://player.vimeo.com\"), battery=(), browsing-topics=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self \"https://www.youtube.com\" \"https://player.vimeo.com\"), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(self \"https://www.youtube.com\" \"https://player.vimeo.com\"), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()",
"Referrer-Policy": "origin-when-cross-origin",
"Strict-Transport-Security": "max-age=31536000;",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "SAMEORIGIN",
"X-Powered-By": "Acorn 5.0.5 (Laravel 12.16.0)",
"X-Cacheable": "SHORT",
"Vary": "Accept-Encoding,Accept-Encoding,Accept-Encoding,Accept-Encoding,Cookie",
"X-Cache": "Hit from cloudfront",
"Via": "1.1 153a29b6f73d1188a3a2c0797369516a.cloudfront.net (CloudFront)",
"X-Amz-Cf-Pop": "BOM78-P4",
"Alt-Svc": "h3=\":443\"; ma=86400",
"X-Amz-Cf-Id": "ho1YthzEGCJH3e2D-ck52LKG3W8-Vnesi8gX1KsYQ2sFNsIhEBz5IQ==",
"Age": "170"
},
"ip_address": "108.158.46.123",
"hosting_provider": "Amazon Web Services (AWS)",
"registrar": null,
"cms": "WordPress",
"cms_cve": null,
"server": "nginx",
"server_disclosure_cve": null,
"programming_language": "acorn 5.0.5 (laravel 12.16.0)",
"technology_disclosure_cve": null,
"mixed_content_analysis": null,
"operating_system": "Linux/Unix",
"open_ports": [
"443",
"80"
],
"database_technology": null,
"javascript_libraries": null,
"javascript_libraries_cve": null,
"secure_connection": "Yes",
"directory_listing": null,
"passwords_submitted_unencrypted": null,
"missing_security_headers": [
"X-XSS-PROTECTION",
"X-PERMITTED-CROSS-DOMAIN"
],
"missing_content_security_policy_header": null,
"missing_strict_transport_security_header": null,
"missing_referrer_policy_header": null,
"missing_x_content_type_options_header": null,
"missing_httponly_flag_in_cookies": {
"issue": "Missing HttpOnly flag in cookies",
"severity": "High",
"cwe_id": "CWE-1004",
"cwe_description": "Cookies accessible by JavaScript can be stolen via XSS.",
"fix": "Set the HttpOnly flag to prevent client-side script access."
},
"missing_secure_flag_in_cookies": {
"issue": "Missing Secure flag in cookies",
"severity": "High",
"cwe_id": "CWE-614",
"cwe_description": "Cookies without the Secure flag may be sent over unencrypted connections.",
"fix": "Enable the Secure flag for all session or sensitive cookies."
},
"secret_files_detection": [
"https://www.arkoselabs.com/robots.txt",
"https://www.arkoselabs.com/sitemap.xml"
],
"robots_txt_file_found": null,
"waf_detection": [
"AWS WAF"
],
"ssl_certificate": "Certificate is valid",
"loose_cookie_domain": null,
"csp_header_analysis": "Misconfigured",
"openapi_disclosure": null,
"password_leakage": null,
"error_messages_analysis": null,
"path_disclosure": null,
"rate_limit_headers": {
"issue": "Missing Rate Limit header",
"severity": "Medium",
"cwe_id": "CWE-770",
"cwe_description": "Improper control of resource consumption may enable brute-force or DoS attacks.",
"fix": "Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'."
},
"email_extraction": null,
"xml_rpc_endpoint_detection": null,
"http_methods_allowed": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE",
"OPTIONS",
"HEAD"
],
"enabled_debug_method": "No",
"enabled_options_method": "Yes",
"cross_domain_inclusion": [
"cdn.cookielaw.org",
"chat-application.com",
"munchkin.marketo.net",
"marketo.clearbit.com",
"www.googletagmanager.com",
"player.vimeo.com"
],
"file_upload": null,
"client_access_policies": null,
"x_frame_options": "Properly Configured",
"x_xss_protection": "Missing x-xss-protection header",
"htaccess_exposure": null,
"host_header_injection": null,
"captcha_detection": null,
"password_field_with_autocomplete": null,
"spf": null,
"dmarc": "v=DMARC1; p=reject; rua=mailto:postmaster@arkoselabs.com; ruf=mailto:postmaster@arkoselabs.com",
"dkim": {
"google": "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8WGKNiBagT7eR/nlojcYZGw70niustmkxS68eF8UZfFIKk7yC0/J5ehV4s6M77+YuwEflfgW3mpFQ/u/mQzLrUDl2V3A9ALYKYzAG2R+LE0sLF1uNgCvuwQVGNJpnRXOXaRdtfW3qF0+/lPbI6D+9ydlKYh1rppZLrlI21I3MwfNi5EgiSJI6SmDFfmMYx5dtCZTP3joiVEc0uPdsJCkaEX1yEJrdfTSNC76fmCT+9zM4Bq8DwXUclgQvkvndfe3stQO8p3bg4SPTIVtthAPD8WpnleP6tq70xPtLhviWysyc3XL9lbs7stc//vXiN3LkQ1uuJ+ItyC6qFHN2NXvXQIDAQAB"
},
"unencrypted_viewstate": null,
"total_scans": [
"Inline Connection",
"Ip-Address",
"Cloud_Provider",
"Server Disclosure",
"Technology Disclosure",
"Cms Detection",
"Mixed Content Analysis",
"Operating-System",
"Open Ports Scan",
"Database",
"Javascript Libraries",
"Secure Connection Check",
"Directories Listing Exposed",
"Password Exposing Pages",
"Missing Security Headers",
"Missing Content-Security-Policy",
"Missing Strict-Transport-Security",
"Missing Referrer-Policy",
"Missing X-Content-Type-Options",
"Missing Cookie http flag",
"Missing Cookie secure flag",
"Secret Files Detection",
"Security File Detection",
"WAF-Detection",
"SSL Certificate Validation",
"Loose Cookie Domain",
"CSP Header Analysis",
"OpenAPI Disclosure",
"Password Leak Detection",
"Path Disclosure",
"Error Messages Analysis",
"Rate Limit Headers",
"Email Extraction",
"Xml-RPC Endpoint Detection",
"HTTP Methods Allowed",
"Enabled Debug Method",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"File Upload Detection",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
".htaccess Exposure",
"Captcha Detection",
"Password field with autocomplete",
"DKIM",
"SPF",
"DMARC",
"Host Header Injection",
"Unencrypted Viewstate"
],
"executive_summary": {
"Total Checks Passed": 25,
"Passed Cases": [
"Mixed Content (HTTP on HTTPS)",
"Javascript Libraries",
"Secure Connection",
"Directory Listing Exposed",
"Passwords submitted unencrypted",
"Missing Content-Security-Policy header",
"Missing Strict-Transport-Security header",
"Missing Referrer-Policy header",
"Missing X-Content-Type-Options header",
"WAF Detection",
"SSL Certificate",
"Loose cookie domain",
"OpenAPI Disclosure",
"Password Leakage",
"Error Messages Analysis",
"Path Disclosure",
"Emails exposed",
" Not Enabled Debug Method",
"File Upload Detection",
"Client Access Policies",
".htaccess Exposure",
"Host Header Injection",
"SPF",
"DMARC",
"DKIM"
],
"Total Checks Failed": 17,
"Failed Cases": [
"Server Disclosure",
"Technology Disclosure",
"Open Ports Scan",
"Missing Security Headers",
"Missing HttpOnly flag in cookies",
"Missing Secure flag in cookies",
"Secret Files Detection",
"robots.txt file found",
"security.txt file not found",
"Rate Limit Headers",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
"Captcha checking",
"Password field with autocomplete",
"Unencrypted Viewstate"
],
"Total CWEs Found": 4
},
"total_scan_time": "23.8 seconds",
"scan_start_timestamp": "2026-02-15 09:33:09"
}
Other Security Tools
Explore our comprehensive suite of security testing tools