Knowledge Base

Identify. Understand. Remediate.

21 actionable guides covering the vulnerabilities WebShield detects, each with platform-specific fixes you can paste straight into config.

21 guides8 categories8 platforms3 Critical7 High6 Medium5 Low

Scan

Paste any URL on the home page. WebShield fetches headers, DNS records and TLS metadata, then grades the result in under a minute.

Understand

Every finding explains the spec, the real-world exploit path and why browsers or mail providers penalize the default.

Remediate

Copy the paste-ready config for Nginx, Apache, Vercel, Cloudflare, AWS, IIS, HAProxy or Traefik - 8 platforms covered per finding.

Transport & TLS4 guides

How data travels between browsers and servers. Weak TLS, mixed content and broken HSTS let attackers downgrade or intercept the connection before your application ever runs.

High

Missing HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) acts as a "security seatbelt," forcing browsers to refuse all insecure HTTP connec...

View remediation

High

Mixed Content (Insecure Resources)

Mixed Content occurs when an HTTPS page loads resources (images, scripts, styles) over insecure HTTP.

View remediation

Critical

CORS Misconfiguration

Cross-Origin Resource Sharing (CORS) controls which domains can access your API resources via the browser.

View remediation

High

Weak TLS Protocols Enabled (TLS 1.0 / 1.1)

The server still negotiates TLS 1.0 or TLS 1.1, both of which were formally deprecated by RFC 8996 in 2021 and are prohi...

View remediation

Content Security6 guides

Controls what code browsers are allowed to execute on your origin. CSP, framing rules and MIME protections stop XSS, clickjacking and type-confusion attacks before they reach users.

High

Missing Content Security Policy (CSP)

CSP is the "nuclear option" against Cross-Site Scripting (XSS). It tells the browser exactly which domains are allowed t...

View remediation

Medium

Unsafe Links (Reverse Tabnabbing)

Links that open in a new tab (`target="_blank"`) without `rel="noopener"` or `rel="noreferrer"` are vulnerable.

View remediation

Medium

Missing Subresource Integrity (SRI)

SRI ensures that files you load from CDNs (like jQuery or Bootstrap) haven't been tampered with.

View remediation

Medium

Missing X-Frame-Options

Prevents your website from being embedded in an iframe on another site. This stops "Clickjacking" attacks.

View remediation

Medium

Missing X-Content-Type-Options

Prevents the browser from "guessing" the file type (MIME sniffing) and forces it to trust the server's declared type.

View remediation

Low

Missing Cross-Origin Isolation (COOP, COEP, CORP)

COOP, COEP, and CORP are three related headers that together put your page into a "cross-origin isolated" state, blockin...

View remediation

Cookies & Sessions1 guide

How sessions survive across requests. The Secure, HttpOnly and SameSite flags decide whether a session cookie survives an XSS attempt or a cross-site CSRF request.

Medium

Insecure Cookies

Cookies missing `Secure`, `HttpOnly`, or `SameSite` flags can be stolen or abused.

View remediation

Privacy & Leakage2 guides

What the browser hands to third parties on every request. Referrer Policy and Permissions-Policy limit how much user context leaks to analytics, embeds and ad networks.

Low

Missing Permissions-Policy

Formerly "Feature-Policy", this header allows you to enable or disable browser features and APIs (like Camera, Microphon...

View remediation

Low

Weak Referrer Policy

Controls how much data about "where the user came from" is sent to the next website they visit.

View remediation

Email Authentication3 guides

DNS records that prove outbound mail is actually from you. SPF, DKIM and DMARC stop spoofers from impersonating your domain and getting past Gmail and Yahoo bulk-sender filters.

High

Missing DMARC Policy

DMARC tells receiving mail servers what to do when a message fails SPF or DKIM checks, and where to send the forensic re...

View remediation

High

Missing SPF Record

SPF (Sender Policy Framework) lists the IP addresses and hostnames authorized to send mail for your domain, and defines...

View remediation

High

Missing DKIM Signature

DKIM signs every outbound message with a cryptographic signature anchored in DNS, proving the message came from your dom...

View remediation

DNS Hardening2 guides

DNS-layer defences that sit outside the HTTP stack. DNSSEC stops response tampering at resolution time; CAA stops unauthorized certificate authorities from ever issuing a cert for your domain.

Medium

Missing DNSSEC

DNSSEC signs your DNS records cryptographically so validating resolvers can detect tampering or cache poisoning during l...

View remediation

Low

Missing CAA Record

A CAA (Certificate Authority Authorization) record lists the CAs allowed to issue certificates for your domain. Every pu...

View remediation

File Exposure2 guides

Files that should never have been public. A single exposed .env or .git directory hands attackers credentials or your entire source history in one HTTP request - no exploit required.

Critical

Exposed `.git` Directory

A publicly reachable `/.git/` directory exposes your entire source code, commit history, configuration, and anything com...

View remediation

Critical

Exposed `.env` File

A `.env` file served by the web server exposes every credential the application uses: database URLs, API keys, signing s...

View remediation

Infrastructure Hygiene1 guide

Findings that do not fit a single category - usually version banners and fingerprinting surfaces that help attackers tailor exploits to your exact stack.

Low

Server Information Leakage

Your server is shouting its exact version number to the world (e.g., "nginx/1.18.0").

View remediation

Frequently asked questions

Straight answers to the questions developers ask most often when remediating findings.

What is the difference between CSP and X-Frame-Options?

Both prevent clickjacking, but CSP's frame-ancestors directive is the modern superset - it replaces X-Frame-Options entirely and supports multiple allowed origins, 'self' and 'none'. When both headers are present, browsers following CSP Level 2 use frame-ancestors and ignore X-Frame-Options. Keep X-Frame-Options as a fallback only for legacy user agents.

Do I need to submit my site to the HSTS preload list?

Only if you are certain every current and future subdomain will support HTTPS indefinitely. Once you are on the Chromium preload list, removal takes weeks to months and ships in every major browser. The safe rollout is: start with max-age=300, confirm nothing breaks, ramp to max-age=63072000; includeSubDomains; preload, then submit at hstspreload.org. The commitment is real - the benefit is real too.

Why did my security grade drop after adding a CDN?

CDNs often terminate TLS and rewrite or strip your origin response headers. Cloudflare, Fastly, Vercel and CloudFront each inject their own edge layer, so a CSP set by your Express or Django app can disappear by the time it reaches the browser. Always verify with curl -I against your public URL, not your origin. If headers are missing, set them at the edge instead of (or in addition to) the origin.

What is the lowest-effort fix for the biggest grade bump?

For most sites, shipping HSTS, CSP, X-Content-Type-Options and Referrer-Policy in one change covers the majority of missing headers. Start CSP in Content-Security-Policy-Report-Only mode to catch surprises before enforcing. If your domain also sends mail, add SPF and a DMARC record at p=none as a second pass - it unlocks another grade tier without any risk of blocking legitimate mail.

What does Content-Security-Policy-Report-Only actually do?

It tells browsers to evaluate the policy and post violation reports to your report-uri or report-to endpoint without blocking any resource. It is the standard way to roll out CSP on an existing site: ship report-only first, watch the reports for legitimate violations, tighten the policy, and only then switch to the enforcing Content-Security-Policy header. Running both headers simultaneously is allowed and useful during migrations.

Can WebShield scan staging sites or pages behind a login?

No. The scanner reads only what an anonymous browser can see: public HTTP responses, DNS records and TLS metadata. Authenticated pages, internal apps and private staging hosts return no useful signal. For internal or authenticated scans, use a tool like OWASP ZAP or Burp Suite inside your network - WebShield is designed for the public perimeter.

Back to scanner

WebShield Audit

New Scan

Knowledge Base

Identify. Understand. Remediate.

21 actionable guides covering the vulnerabilities WebShield detects, each with platform-specific fixes you can paste straight into config.

21 guides8 categories8 platforms3 Critical7 High6 Medium5 Low

Scan

Paste any URL on the home page. WebShield fetches headers, DNS records and TLS metadata, then grades the result in under a minute.

Understand

Every finding explains the spec, the real-world exploit path and why browsers or mail providers penalize the default.

Remediate

Copy the paste-ready config for Nginx, Apache, Vercel, Cloudflare, AWS, IIS, HAProxy or Traefik - 8 platforms covered per finding.

Transport & TLS4 guides

How data travels between browsers and servers. Weak TLS, mixed content and broken HSTS let attackers downgrade or intercept the connection before your application ever runs.

High

Missing HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) acts as a "security seatbelt," forcing browsers to refuse all insecure HTTP connec...

View remediation

High

Mixed Content (Insecure Resources)

Mixed Content occurs when an HTTPS page loads resources (images, scripts, styles) over insecure HTTP.

View remediation

Critical

CORS Misconfiguration

Cross-Origin Resource Sharing (CORS) controls which domains can access your API resources via the browser.

View remediation

High

Weak TLS Protocols Enabled (TLS 1.0 / 1.1)

The server still negotiates TLS 1.0 or TLS 1.1, both of which were formally deprecated by RFC 8996 in 2021 and are prohi...

View remediation

Content Security6 guides

Controls what code browsers are allowed to execute on your origin. CSP, framing rules and MIME protections stop XSS, clickjacking and type-confusion attacks before they reach users.

High

Missing Content Security Policy (CSP)

CSP is the "nuclear option" against Cross-Site Scripting (XSS). It tells the browser exactly which domains are allowed t...

View remediation

Medium

Unsafe Links (Reverse Tabnabbing)

Links that open in a new tab (`target="_blank"`) without `rel="noopener"` or `rel="noreferrer"` are vulnerable.

View remediation

Medium

Missing Subresource Integrity (SRI)

SRI ensures that files you load from CDNs (like jQuery or Bootstrap) haven't been tampered with.

View remediation

Medium

Missing X-Frame-Options

Prevents your website from being embedded in an iframe on another site. This stops "Clickjacking" attacks.

View remediation

Medium

Missing X-Content-Type-Options

Prevents the browser from "guessing" the file type (MIME sniffing) and forces it to trust the server's declared type.

View remediation

Low

Missing Cross-Origin Isolation (COOP, COEP, CORP)

COOP, COEP, and CORP are three related headers that together put your page into a "cross-origin isolated" state, blockin...

View remediation

Cookies & Sessions1 guide

How sessions survive across requests. The Secure, HttpOnly and SameSite flags decide whether a session cookie survives an XSS attempt or a cross-site CSRF request.

Medium

Insecure Cookies

Cookies missing `Secure`, `HttpOnly`, or `SameSite` flags can be stolen or abused.

View remediation

Privacy & Leakage2 guides

What the browser hands to third parties on every request. Referrer Policy and Permissions-Policy limit how much user context leaks to analytics, embeds and ad networks.

Low

Missing Permissions-Policy

Formerly "Feature-Policy", this header allows you to enable or disable browser features and APIs (like Camera, Microphon...

View remediation

Low

Weak Referrer Policy

Controls how much data about "where the user came from" is sent to the next website they visit.

View remediation

Email Authentication3 guides

DNS records that prove outbound mail is actually from you. SPF, DKIM and DMARC stop spoofers from impersonating your domain and getting past Gmail and Yahoo bulk-sender filters.

High

Missing DMARC Policy

DMARC tells receiving mail servers what to do when a message fails SPF or DKIM checks, and where to send the forensic re...

View remediation

High

Missing SPF Record

SPF (Sender Policy Framework) lists the IP addresses and hostnames authorized to send mail for your domain, and defines...

View remediation

High

Missing DKIM Signature

DKIM signs every outbound message with a cryptographic signature anchored in DNS, proving the message came from your dom...

View remediation

DNS Hardening2 guides

DNS-layer defences that sit outside the HTTP stack. DNSSEC stops response tampering at resolution time; CAA stops unauthorized certificate authorities from ever issuing a cert for your domain.

Medium

Missing DNSSEC

DNSSEC signs your DNS records cryptographically so validating resolvers can detect tampering or cache poisoning during l...

View remediation

Low

Missing CAA Record

A CAA (Certificate Authority Authorization) record lists the CAs allowed to issue certificates for your domain. Every pu...

View remediation

File Exposure2 guides

Files that should never have been public. A single exposed .env or .git directory hands attackers credentials or your entire source history in one HTTP request - no exploit required.

Critical

Exposed `.git` Directory

A publicly reachable `/.git/` directory exposes your entire source code, commit history, configuration, and anything com...

View remediation

Critical

Exposed `.env` File

A `.env` file served by the web server exposes every credential the application uses: database URLs, API keys, signing s...

View remediation

Infrastructure Hygiene1 guide

Findings that do not fit a single category - usually version banners and fingerprinting surfaces that help attackers tailor exploits to your exact stack.

Low

Server Information Leakage

Your server is shouting its exact version number to the world (e.g., "nginx/1.18.0").

View remediation

Frequently asked questions

Straight answers to the questions developers ask most often when remediating findings.

What is the difference between CSP and X-Frame-Options?

Do I need to submit my site to the HSTS preload list?

Why did my security grade drop after adding a CDN?

What is the lowest-effort fix for the biggest grade bump?

What does Content-Security-Policy-Report-Only actually do?

Can WebShield scan staging sites or pages behind a login?

Back to scanner