UP
powered by

Web Server Security Test

0 tests running
  servers tested

Latest Tested Servers

API

For the Web Server Security Test service High-Tech Bridge provides you with a free API to test your web servers security.

Taking into consideration that all the security tests of this service are also performed within the scope of our free SSL/TLS service, please refer to its free API.


License notice: The API is provided for free both for private and commercial purposes. If you use the API for publicly available service (commercial or not) a link to High-Tech Bridge's Free SSL Server Test is mandatory.

About the Service

This web server security testing service is provided and operated by High-Tech Bridge.


During the security test we perform the following security checks:

Detailed analysis (syntax, validity, trustworthiness) of HTTP headers that may impact web server, web application or website visitors security or privacy:

     Server      Strict-Transport-Security (also known as HSTS)      X-Frame-Options
     X-Powered-By      Public-Key-Pins (also known as HPKP)      X-XSS-Protection
     X-AspNet-Version      Content-Security-Policy (also known as CSP)      X-Content-Type-Options

Analysis of HTTP methods that may put web server, web application or website visitors at risk.

Detailed analysis of web application cookies for secure attributes that may improve web application and website visitors' security and privacy.


For any questions or suggestions please contact us by email:

Scoring Methodology

- At the beginning of the test, server score is 0.
- Points are added for every legitimate header present and/or valid (see table below).
- Points are deducted when headers' configuration looks perfectible.
- Score for invalid HTTP methods support will never be below -15.
- Sum of all cookies' score will never be above 15 and below -15.
Grade Score
A+ Score greater than 100
A Score between 90 and 99
A- Score between 80 and 89
Grade Score
B+ Score between 70 and 79
B Score between 60 and 69
B- Score between 50 and 59
Grade Score
C+ Score between 35 and 49
C Score between 20 and 34
F Score lower than 20

HTTP Headers Scoring

Header Name Description Over HTTP Over HTTPS
Strict-Transport-Security Header is present 0 0
Strict-Transport-Security Header is present, valid and enforced 0 25
Strict-Transport-Security Header has a duration below 6 months 0 -10
Strict-Transport-Security Server certificate is untrusted 0 -10
Public-Key-Pins Header is present 0 0
Public-Key-Pins Header is present, valid and enforced 0 10
Public-Key-Pins Header does not include backup pin 0 -5
X-Frame-Options Header is present and valid 20 20
X-Frame-Options Header value is ALLOWALL -15 -15
X-XSS-Protection Header is present and valid 20 20
X-XSS-Protection Header value is 1 -10 -10
X-Content-Type-Options Header is present and valid 15 15
Content-Security-Policy Header is present 15 15
Content-Security-Policy Header has default-src set to 'none' or 'self' 5 5
Content-Security-Policy Header contains wildcard in default-src directive -5 -5
Content-Security-Policy Header contains wildcard in any other directive -5 -5
Content-Security-Policy Header allows eval function or inline scripts -5 -5
Content-Security-Policy Header has frame-ancestors directive set and restricting sources and X-Frame-Options header is not set 20 20
Content-Security-Policy Header has frame-ancestors directive set with wildcard and X-Frame-Options header is not set 5 5
Content-Security-Policy Header has frame-ancestors directive set and consistent with X-Frame-Options header value 5 5
Content-Security-Policy Header has frame-ancestors directive set and inconsistent with X-Frame-Options header value -20 -20
Content-Security-Policy Header enables blocking or disables XSS protection and X-XSS-Protection header is not set 20 20
Content-Security-Policy Header enables XSS filtering and X-XSS-Protection header is not set 5 5
Content-Security-Policy Header has the reflected-xss directive set and consistent with X-XSS-Protection header value 5 5
Content-Security-Policy Header contains the Reflected XSS directive with a different value than X-XSS-Protection header -20 -20
Content-Security-Policy Header has the upgrade-insecure-requests or the block-all-mixed-content directive set 5 5
Server Header discloses server's software version -5 -5
X-Powered-By Header discloses server's software version -5 -5
X-AspNet-Version Header discloses server's software version -5 -5

Remaining Scoring

Description Score
Server supports Custom HTTP methods -15
Server supports TRACE, TRACK or CONNECT HTTP method -15
A cookie has an invalid syntax -10
A cookie does not have the HttpOnly flag set -5
A cookie has the Secure flag set 5
A cookie has the SameSite flag set to Lax 5
A cookie has the SameSite flag set to Strict 10
A cookie name has the "__Secure-" prefix and its prerequisites 5
A cookie name has the "__Host-" prefix and its prerequisites 10

​References & How-To's

Interactive Web Security Live World Map
Hostname
Grade
Date/Time ()
Server location
Click to view full test results
View in fullscreen
Current time:
Latest update:

Recent:

Recent: