Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://www.wafcharm.com:443/
Scan Date: April 6, 2026, 4:39 p.m. | Duration: 16.31s
Light Scan Result
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Want a deeper analysis?
This is a Light Scan result. Perform a Deep Scan to uncover hidden vulnerabilities like XSS, SQL Injection, and more.
Includes intrusive tests. Ensure you are
authorized.
Risk Rating
Overall Risk Rating
C (66/100)
0
Total CVEs
15
Total CWEs
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 0 |
| Medium | 0 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 4 |
| Medium | 3 |
| Low | 8 |
Unique CVE IDs
Identified
No CVEs mapped
Unique CWE IDs
Identified
CWE-1004, CWE-16, CWE-200, CWE-319, CWE-614, CWE-693, CWE-770
How is the score calculated?
Scores start at 100. Deductions are: Critical (-10), High (-5), Medium (-2), Low (-1). To ensure fairness, deductions are capped per category: Critical (40), High (25), Medium (15), Low (10).
Scan Summary
| 1 | Input Hostname | wafcharm.com |
| 2 | Scan Start Time | April 6, 2026, 4:39 p.m. |
| 3 | Scan Duration | 16.31s |
| 4 | Total Test Cases | 50 |
Target Information
| 1 | Target URL | https://www.wafcharm.com:443/ |
| 2 | IP Address | 18.172.78.56 |
| 3 | Hosting Provider | Amazon Web Services (AWS) |
| 4 | Registrar | Not Available |
| 5 | Programming Language | Not Detected |
| 6 | Web Server | apache |
| 7 | Operating System | Linux/Unix |
| 8 | HTTPS Enabled | Enabled |
| 9 | WAF Detected | ['AWS WAF'] |
Original Header Response
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Date: Mon, 06 Apr 2026 11:09:28 GMT
Server: Apache
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 3e4af6ffbc2fb603daf8897afc5cc7f6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: BOM78-P9
X-Amz-Cf-Id: IK7tVFn5NIbkZbW6uyIQuCDYRndIGjGo8V5jDzO0BsQ4QHWCH184Uw==
Network & Infrastructure Reconnaissance
| Inline Connection | Yes |
| IP Address | 18.172.78.56 |
| Hosting Provider | Amazon Web Services (AWS) |
| Server | apache |
| Server Disclosure CVE | No CVEs found |
| Operating System | Linux/Unix |
| Open Ports | 443, 80 |
| Database Technology | Not Detected |
| WAF Detection | ['AWS WAF'] |
| SSL Certificate | Error connecting to www.wafcharm.com:443: [Errno -2] Name or service not known |
Application Stack & Technology Fingerprinting
| CMS | {'WordPress': '7.3.8'} | ||||
| CMS CVE | No CVEs found | ||||
| Programming Language | Not Detected | ||||
| Technology Disclosure CVE | None | ||||
| Javascript Libraries |
|
||||
| Javascript Libraries CVE | No CVEs found | ||||
| Openapi Disclosure | Not Found | ||||
| XML RPC Endpoint Detection | Disabled |
Transport Layer Security (TLS) & Encryption
| Mixed Content Analysis | Secure |
| Secure Connection | Enabled |
| Unencrypted Viewstate | Not Detected |
HTTP Security Headers Analysis
| Securitys | STRICT-TRANSPORT-SECURITY, PERMISSIONS-POLICY, X-FRAME-OPTIONS, CONTENT-SECURITY-POLICY, X-CONTENT-TYPE-OPTIONS, X-XSS-PROTECTION, REFERRER-POLICY, X-PERMITTED-CROSS-DOMAIN |
| Content Security Policy | Missing Content-Security-Policy header |
| Strict Transport Security | Missing Strict-Transport-Security header |
| Referrer Policy | Missing Referrer-Policy header |
| X Content Type Options | Missing X-Content-Type-Options header |
| CSP Analysis | Properly Configured |
| X Frame Options | Missing X-Frame-Options |
| X XSS Protection | Missing x-xss-protection header |
Session & Cookie Security
| Missing HTTPonly Flag In Cookies | Missing HttpOnly flag in cookies |
| Missing Secure Flag In Cookies | Missing Secure flag in cookies |
| Loose Cookie Domain | Secure |
Sensitive Resource & File Exposure
| Directory Listing | Disabled |
| Secret Files Detection | ['https://www.wafcharm.com:443/sitemap.xml'] |
| Robots Txt File Found | None |
| Path Disclosure | Not Found |
| Htaccess Exposure | None |
Authentication & Credential Exposure
| Passwords Submitted Unencrypted | Secure |
| Password Leakage | Not Detected |
| Password Field With Autocomplete | Properly Configured |
Information Disclosure & Error Handling
| Error Messages Analysis | Secure |
| Cross Domain Inclusion | ['ajax.googleapis.com', 'www.google.com', 'fonts.googleapis.com', 'fonts.gstatic.com', 'www.googletagmanager.com', 'www.youtube.com'] |
Application Surface & Method Exposure
| HTTP Methods Allowed | GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD |
| Enabled Debug Method | No |
| Enabled Options Method | Yes |
| File Upload | Not Detected |
| Client Access Policies | Not Found |
Email & Domain Security Configuration
| Email Extraction | None Found |
| SPF | v=spf1 include:mail.zendesk.com include:aspmx.pardot.com include:24116766.spf07.hubspotemail.net include:_spf.google.com ~all |
| DMARC | v=DMARC1;p=quarantine;rua=mailto:dmarc@wafcharm.com;ruf=mailto:dmarc@wafcharm.com;rf=afrf;pct=10 |
| DKIM | Not Configured |
Abuse & Rate-Limiting Controls
| Rate Limit Headers | Missing Rate Limit header |
Injection & Header Manipulation
| Host Header Injection | Not Vulnerable |
Bot & Automation Protection
| Captcha Detection | Not Detected |
Other Findings
| Registrar | None |
Findings – CVE (Common Vulnerabilities and Exposures)
No CVE vulnerabilities found.
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 1 | Missing Content-Security-Policy header | CWE-693 | High | Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection. | Implement a strong Content-Security-Policy header such as: "Content-Security-Policy: default-src 'self'; script-src 'self'". |
| 2 | Missing Strict-Transport-Security header | CWE-319 | High | Sensitive information is exposed in transit due to the absence of secure channel enforcement. | Enable HSTS with: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload". |
| 3 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 4 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 5 | Missing Referrer-Policy header | CWE-200 | Medium | Exposure of sensitive URLs or information to third-party sites. | Set a secure referrer policy such as: "Referrer-Policy: no-referrer". |
| 6 | Missing X-Content-Type-Options header | CWE-16 | Medium | Improperly configured security headers allow MIME-type confusion attacks. | Add the header: "X-Content-Type-Options: nosniff". |
| 7 | Missing Rate Limit header | CWE-770 | Medium | Improper control of resource consumption may enable brute-force or DoS attacks. | Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
| 8 | Missing Header: STRICT-TRANSPORT-SECURITY | CWE-693 | Low | The security header STRICT-TRANSPORT-SECURITY is missing. | Add STRICT-TRANSPORT-SECURITY header to server configuration. |
| 9 | Missing Header: PERMISSIONS-POLICY | CWE-693 | Low | The security header PERMISSIONS-POLICY is missing. | Add PERMISSIONS-POLICY header to server configuration. |
| 10 | Missing Header: X-FRAME-OPTIONS | CWE-693 | Low | The security header X-FRAME-OPTIONS is missing. | Add X-FRAME-OPTIONS header to server configuration. |
| 11 | Missing Header: CONTENT-SECURITY-POLICY | CWE-693 | Low | The security header CONTENT-SECURITY-POLICY is missing. | Add CONTENT-SECURITY-POLICY header to server configuration. |
| 12 | Missing Header: X-CONTENT-TYPE-OPTIONS | CWE-693 | Low | The security header X-CONTENT-TYPE-OPTIONS is missing. | Add X-CONTENT-TYPE-OPTIONS header to server configuration. |
| 13 | Missing Header: X-XSS-PROTECTION | CWE-693 | Low | The security header X-XSS-PROTECTION is missing. | Add X-XSS-PROTECTION header to server configuration. |
| 14 | Missing Header: REFERRER-POLICY | CWE-693 | Low | The security header REFERRER-POLICY is missing. | Add REFERRER-POLICY header to server configuration. |
| 15 | Missing Header: X-PERMITTED-CROSS-DOMAIN | CWE-693 | Low | The security header X-PERMITTED-CROSS-DOMAIN is missing. | Add X-PERMITTED-CROSS-DOMAIN header to server configuration. |
Other Security Tools
Explore our comprehensive suite of security testing tools