Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://xelfin.in/
Scan Date: April 12, 2026, 10:59 a.m. | Duration: 132.33s
Light Scan Result
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Want a deeper analysis?
This is a Light Scan result. Perform a Deep Scan to uncover hidden vulnerabilities like XSS, SQL Injection, and more.
Includes intrusive tests. Ensure you are
authorized.
Risk Rating
Overall Risk Rating
B (73/100)
0
Total CVEs
16
Total CWEs
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 0 |
| Medium | 0 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 1 |
| Medium | 8 |
| Low | 7 |
Unique CVE IDs
Identified
No CVEs mapped
Unique CWE IDs
Identified
CWE-1004, CWE-16, CWE-200, CWE-319, CWE-614, CWE-693, CWE-770
How is the score calculated?
Scores start at 100. Deductions are: Critical (-10), High (-5), Medium (-2), Low (-1). To ensure fairness, deductions are capped per category: Critical (40), High (25), Medium (15), Low (10).
Scan Summary
| 1 | Input Hostname | xelfin.in |
| 2 | Scan Start Time | April 12, 2026, 10:59 a.m. |
| 3 | Scan Duration | 132.33s |
| 4 | Total Test Cases | 50 |
Target Information
| 1 | Target URL | https://xelfin.in/ |
| 2 | IP Address | 132.148.96.3 |
| 3 | Hosting Provider | GoDaddy Hosting |
| 4 | Registrar | GoDaddy.com, LLC |
| 5 | Programming Language | PHP:8.3.30 |
| 6 | Web Server | apache |
| 7 | Operating System | Linux/Unix |
| 8 | HTTPS Enabled | Enabled |
| 9 | WAF Detected | Not Detected |
Original Header Response
Date: Sun, 12 Apr 2026 05:29:38 GMT
Server: Apache
X-Powered-By: PHP/8.3.30
Permissions-Policy: private-state-token-redemption=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"), private-state-token-issuance=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com")
Link: <https://xelfin.in/wp-json/>; rel="https://api.w.org/", <https://xelfin.in/wp-json/wp/v2/pages/7105>; rel="alternate"; title="JSON"; type="application/json", <https://xelfin.in/>; rel=shortlink
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Vary: Accept-Encoding
Content-Encoding: br
Content-Length: 27395
Keep-Alive: timeout=5
Content-Type: text/html; charset=UTF-8
Network & Infrastructure Reconnaissance
| Inline Connection | Yes |
| IP Address | 132.148.96.3 |
| Hosting Provider | GoDaddy Hosting |
| Server | apache |
| Server Disclosure CVE | No CVEs found |
| Operating System | Linux/Unix |
| Open Ports | 3306, 443, 80 |
| Database Technology | Mysql |
| WAF Detection | Not Detected |
| SSL Certificate | Certificate is valid |
Application Stack & Technology Fingerprinting
| CMS |
|
||||
| CMS CVE | No CVEs found | ||||
| Programming Language | PHP:8.3.30 | ||||
| Technology Disclosure CVE | No CVEs found | ||||
| Javascript Libraries |
|
||||
| Javascript Libraries CVE | No CVEs found | ||||
| Openapi Disclosure | Not Found | ||||
| XML RPC Endpoint Detection | Disabled |
Transport Layer Security (TLS) & Encryption
| Mixed Content Analysis | Mixed content (HTTP on HTTPS) |
| Secure Connection | Enabled |
| Unencrypted Viewstate | Not Detected |
HTTP Security Headers Analysis
| Securitys | STRICT-TRANSPORT-SECURITY, X-FRAME-OPTIONS, CONTENT-SECURITY-POLICY, X-CONTENT-TYPE-OPTIONS, X-XSS-PROTECTION, REFERRER-POLICY, X-PERMITTED-CROSS-DOMAIN |
| Content Security Policy | Missing Content-Security-Policy header |
| Strict Transport Security | Missing Strict-Transport-Security header |
| Referrer Policy | Missing Referrer-Policy header |
| X Content Type Options | Missing X-Content-Type-Options header |
| CSP Analysis | OK |
| X Frame Options | Missing X-Frame-Options |
| X XSS Protection | Missing x-xss-protection header |
Session & Cookie Security
| Missing HTTPonly Flag In Cookies | Missing HttpOnly flag in cookies |
| Missing Secure Flag In Cookies | Missing Secure flag in cookies |
| Loose Cookie Domain | Secure |
Sensitive Resource & File Exposure
| Directory Listing | Disabled |
| Secret Files Detection | ['https://xelfin.in/robots.txt', 'https://xelfin.in/sitemap.xml'] |
| Robots Txt File Found | None |
| Path Disclosure | Not Found |
| Htaccess Exposure | None |
Authentication & Credential Exposure
| Passwords Submitted Unencrypted | Passwords submitted unencrypted |
| Password Leakage | Not Detected |
| Password Field With Autocomplete | OK |
Information Disclosure & Error Handling
| Error Messages Analysis | Secure |
| Cross Domain Inclusion | ['img1.wsimg.com', 'gmpg.org', 'themedemo.commercegurus.com'] |
Application Surface & Method Exposure
| HTTP Methods Allowed | GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD, DEBUG |
| Enabled Debug Method | Yes |
| Enabled Options Method | Yes |
| File Upload | Not Detected |
| Client Access Policies | Not Found |
Email & Domain Security Configuration
| Email Extraction | None Found |
| SPF | Not Configured |
| DMARC | Not Configured |
| DKIM | Not Configured |
Abuse & Rate-Limiting Controls
| Rate Limit Headers | Missing Rate Limit header |
Injection & Header Manipulation
| Host Header Injection | Not Vulnerable |
Bot & Automation Protection
| Captcha Detection | Not Detected |
Other Findings
| Registrar | GoDaddy.com, LLC |
Findings – CVE (Common Vulnerabilities and Exposures)
No CVE vulnerabilities found.
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 1 | Passwords submitted unencrypted | CWE-319 | High | Credentials transmitted without encryption can be intercepted. | Use HTTPS-only forms and ensure encrypted transport of all authentication data. |
| 2 | Mixed content (HTTP on HTTPS) | CWE-319 | Medium | Sensitive information may be sent over unencrypted channels when HTTP assets load on an HTTPS page. | Ensure all assets (JS, CSS, images) load using HTTPS only. |
| 3 | Missing Content-Security-Policy header | CWE-693 | Medium | Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection. | Implement a strong Content-Security-Policy header such as: "Content-Security-Policy: default-src 'self'; script-src 'self'". |
| 4 | Missing Strict-Transport-Security header | CWE-319 | Medium | Sensitive information is exposed in transit due to the absence of secure channel enforcement. | Enable HSTS with: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload". |
| 5 | Missing Referrer-Policy header | CWE-200 | Medium | Exposure of sensitive URLs or information to third-party sites. | Set a secure referrer policy such as: "Referrer-Policy: no-referrer". |
| 6 | Missing X-Content-Type-Options header | CWE-16 | Medium | Improperly configured security headers allow MIME-type confusion attacks. | Add the header: "X-Content-Type-Options: nosniff". |
| 7 | Missing HttpOnly flag in cookies | CWE-1004 | Medium | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 8 | Missing Secure flag in cookies | CWE-614 | Medium | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 9 | Missing Rate Limit header | CWE-770 | Medium | Improper control of resource consumption may enable brute-force or DoS attacks. | Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
| 10 | Missing Header: STRICT-TRANSPORT-SECURITY | CWE-693 | Low | The security header STRICT-TRANSPORT-SECURITY is missing. | Add STRICT-TRANSPORT-SECURITY header to server configuration. |
| 11 | Missing Header: X-FRAME-OPTIONS | CWE-693 | Low | The security header X-FRAME-OPTIONS is missing. | Add X-FRAME-OPTIONS header to server configuration. |
| 12 | Missing Header: CONTENT-SECURITY-POLICY | CWE-693 | Low | The security header CONTENT-SECURITY-POLICY is missing. | Add CONTENT-SECURITY-POLICY header to server configuration. |
| 13 | Missing Header: X-CONTENT-TYPE-OPTIONS | CWE-693 | Low | The security header X-CONTENT-TYPE-OPTIONS is missing. | Add X-CONTENT-TYPE-OPTIONS header to server configuration. |
| 14 | Missing Header: X-XSS-PROTECTION | CWE-693 | Low | The security header X-XSS-PROTECTION is missing. | Add X-XSS-PROTECTION header to server configuration. |
| 15 | Missing Header: REFERRER-POLICY | CWE-693 | Low | The security header REFERRER-POLICY is missing. | Add REFERRER-POLICY header to server configuration. |
| 16 | Missing Header: X-PERMITTED-CROSS-DOMAIN | CWE-693 | Low | The security header X-PERMITTED-CROSS-DOMAIN is missing. | Add X-PERMITTED-CROSS-DOMAIN header to server configuration. |
Other Security Tools
Explore our comprehensive suite of security testing tools