Feedback |
powered by

ImmuniWeb® WebScan

0 tests running
  servers tested

Latest Tested Servers

Free API

High-Tech Bridge provides you with a free API to test your web server for security related configuration. To assure high speed of service and availability for everyone, the free API allows 30 requests in 3 minutes, and 250 requests in total per 24 hours, from one IP address.

In addition, there are different tiers of user, with each providing a different level of usage with the API.


License notice: The API is provided for free both for private and commercial purposes. If you use the API for publicly available service (commercial or not) a link to High-Tech Bridge's Free WebScan is mandatory.

Unlimited API

High-Tech Bridge provides a commercial access to the WebScan API without restrictions. Tailored for your needs, restrictions of the free API can be partially or entirely removed. Prices start at 200 USD per month.


Non-profit, research and academic institutions may request unlimited API for free. Please send your API usage requirements to for additional information.

The groups listed below will vary in how many tests they may run in parallel, over a three minute period and how many tests are allowed in one day.

API Documentation and How-To

Full API Documentation

API Specifications

Field Name Value
Protocol HTTP/HTTPS
Request Type POST
URL https://www.htbridge.com/websec/api/v1/chsec/[ustamp].html - where "ustamp" is an arbitrary UNIX time-stamp (must be an integer). Such construction is done to prevent caching on client side.

POST Data Specification

Field Name Value
api_key secret token which you submit alongside with the request
tested_url the URL of the domain to be tested.
dnsr "on" means that test results will be hidden, "off" means that test results will be displayed in statistics.
choosen_ip IP address of tested server (if tested domain resolves to multiple addresses).
recheck "false" will use results from cache if the server has been tested within the past 24 hours, "true" will perform a new test without looking at the cache.
follow_redirects "true" will allow the following of redirections.
token value of the token sent by the server if the tested domain is resolved into several IP addresses.

Example of Transaction Using CURL

# New test (not cached) $ curl -XPOST -d 'tested_url=twitter.com&choosen_ip=any&dnsr=off&recheck=false&follow_redirects=true&verbosity=1' 'https://www.htbridge.com/websec/api/v1/chsec/1451425590.html'

{"debug":true,"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"test_started","status_id":1,"message":"Test has started"}

# You need to keep calling this until test is finished $ curl -XPOST -d 'job_id=2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc' 'https://www.htbridge.com/websec/api/v1/get_result/1451425590.html'

{"job_id":"2a9e1f1bc92dc0c7a4bde930dff488771eea6d36988208d34163c5496227b8dc","status":"in_progress","status_id":2,"eta":2,"message":"Your test is in progress"}


# New test (cached) $ curl -XPOST -d 'tested_url=twitter.com&choosen_ip=any&dnsr=off&recheck=false&follow_redirects=true&verbosity=1' 'https://www.htbridge.com/websec/api/v1/chsec/1451425590.html'

{"test_id":"c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004","status":"test_cached","status_id":3,"message":"Test is cached"}

$ curl -XPOST -d 'id=c84936eef26eeb8aaef5ffc43f38ddb91adfd90ac27fb416bd0b21fe2edb1004' 'https://www.htbridge.com/websec/api/v1/get_result/1451425590.html'


# Example with error $ curl -XPOST -d 'tested_url=0.0.0.0&choosen_ip=any&dnsr=off&recheck=false&follow_redirects=true&verbosity=1' 'https://www.htbridge.com/websec/api/v1/chsec/1451425590.html'

{"error":"The domain name does not exist","error_id":9}

System Messages

Message Name Response
error The domain name cannot be resolved.
error An error has occurred while checking DNS records of domain.
error Invalid IP address.
error Error with token. Our API has changed, please take look at documentation.
error Sorry, your API key is invalid or has expired. Please double-check it or contact us
error You have performed N tests in the last 3 minutes. The system is currently busy, please try again a bit later.
error You have performed N tests in the last 24 hours. The system is currently busy, please try again a bit later.
error Sorry, our systems are very busy now, we are working on the issue. Please try again in a few minutes.
error You have reached the limit of N concurring running tests. Please wait until at least one of them is finished.
error An error occured while testing server configuration, server become unreachable during the test.

Example of Server Response

                     

About the Service

ImmuniWeb® WebScan is a free product available online, provided and operated by High-Tech Bridge.


During the security test we perform the following security checks:

Detailed analysis (syntax, validity, trustworthiness) of HTTP headers that may impact web server, web application or website visitors security or privacy:

     Server      Strict-Transport-Security (also known as HSTS)      X-Frame-Options
     X-Powered-By      X-Content-Type-Options      X-XSS-Protection
     X-AspNet-Version      Content-Security-Policy (also known as CSP)      Public-Key-Pins (also known as HPKP)
     Access-Control-Allow-Origin      Content-Security-Policy-Report-Only      Public-Key-Pins-Report-Only
     Expect-CT      Expect-Staple      Referrer-Policy

Analysis of HTTP methods that may put web server, web application or website visitors at risk.

Detailed analysis of web application cookies for secure attributes that may improve web application and website visitors' security and privacy.


Scoring Methodology

- At the beginning of the test, server score is 0.
- Points are added for every legitimate header present and/or valid (see table below).
- Points are deducted when headers' configuration looks perfectible.
- Score for invalid HTTP methods support will never be below -15.
- Sum of all cookies' score will never be above 15 and below -15.
Grade Score
A+ Score greater than 100
A Score between 90 and 99
A- Score between 80 and 89
Grade Score
B+ Score between 70 and 79
B Score between 60 and 69
B- Score between 50 and 59
Grade Score
C+ Score between 35 and 49
C Score between 20 and 34
F Score lower than 20

HTTP Headers Scoring

Header Name Description Over HTTP Over HTTPS
Strict-Transport-Security Header is present 0 0
Strict-Transport-Security Header is present, valid and enforced 0 +25
Strict-Transport-Security Header has a duration below 6 months 0 -10
Strict-Transport-Security Server certificate is untrusted 0 -10
Public-Key-Pins Header is present 0 0
Public-Key-Pins Header is present, valid and enforced 0 0
Public-Key-Pins Header does not include backup pin 0 0
X-Frame-Options Header is present and valid +20 +20
X-Frame-Options Header value is ALLOWALL -15 -15
X-XSS-Protection Header is present and valid +20 +20
X-XSS-Protection Header value is 1 -10 -10
X-Content-Type-Options Header is present and valid +15 +15
Content-Security-Policy Header is present +15 +15
Content-Security-Policy Header has default-src set to 'none' or 'self' +5 +5
Content-Security-Policy Header contains wildcard in default-src directive -5 -5
Content-Security-Policy Header contains wildcard in any other directive -5 -5
Content-Security-Policy Header allows eval function or inline scripts -5 -5
Content-Security-Policy Header has frame-ancestors directive set and restricting sources and X-Frame-Options header is not set +20 +20
Content-Security-Policy Header has frame-ancestors directive set with wildcard and X-Frame-Options header is not set +5 +5
Content-Security-Policy Header has frame-ancestors directive set and consistent with X-Frame-Options header value +5 +5
Content-Security-Policy Header has frame-ancestors directive set and inconsistent with X-Frame-Options header value -20 -20
Content-Security-Policy Header enables blocking or disables XSS protection and X-XSS-Protection header is not set +20 +20
Content-Security-Policy Header enables XSS filtering and X-XSS-Protection header is not set +5 +5
Content-Security-Policy Header has the reflected-xss directive set and consistent with X-XSS-Protection header value +5 +5
Content-Security-Policy Header contains the Reflected XSS directive with a different value than X-XSS-Protection header -20 -20
Content-Security-Policy Header has the upgrade-insecure-requests or the block-all-mixed-content directive set +5 +5
Server Header discloses server's software version -5 -5
X-Powered-By Header discloses server's software version -5 -5
X-AspNet-Version Header discloses server's software version -5 -5

Remaining Scoring

Description Score
Cryptojacking malware detected -50
Server supports Custom HTTP methods -15
Server supports TRACE, TRACK or CONNECT HTTP method -15
A cookie has an invalid syntax -10
A cookie does not have the HttpOnly flag set -5
A cookie has the Secure flag set +5
A cookie has the SameSite flag set to Lax +5
A cookie has the SameSite flag set to Strict +10
A cookie does not have the SameSite flag set -1
A cookie name has the "__Secure-" prefix and its prerequisites +5
A cookie name has the "__Host-" prefix and its prerequisites +10

​References & How-To's

Interactive Web Security Live World Map
Hostname
Grade
Date/Time ()
Server location
Click to view full test results
View in fullscreen
Current time:
Latest update:

Latest Highest Score:

Latest Lowest Score:

Recent Website Security Tests: Highest Scores

  • Highest Scores
  • Lowest Scores
The most secure websites and web servers recently tested:

Cryptojacking Results

Try other ImmuniWeb® Free Products

Mobile App Scanner ImmuniWeb® Mobile App Scanner

Audit your iOS or Android apps for OWASP Mobile Top 10 and other vulnerabilities.

Trademark Monitoring Radar ImmuniWeb® Trademark Monitor

Discover typosquatted, cybersquatted or phishing websites abusing your brand.

SSL/TLS Server Test ImmuniWeb® SSLScan

Test your servers for security and compliance with PCI DSS, HIPAA & NIST.

High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share