your-site.com
A sample Pro-plan report. Compliance mapping, AI Library Health and Deep Scan are included from Pro upwards — see what each plan includes.
This is a real sample for an imaginary site. Your own report is generated from a live scan of your domain — same sections, same detail.
What limited this score
- One or more open high-severity vulnerabilities (grade capped at 60)
What changed since last scan
Resolved since last scan
- Low X-Content-Type-Options missing
- Medium TLS 1.0 is enabled
Executive summary
This report covers the security assessment of your-site.com. It scored 60/100, grade D (High Risk). It found 0 critical and 1 high-severity finding(s) needing attention — starting with “Reflected cross-site scripting in the site search” (High). The score is unchanged since the previous scan.
Issues by severity
Select a severity to see those findings.
Category scores
8 of 16 categories assessed this scan.
Not assessed this scan
Warden could not score these areas this scan (checks were skipped, a scanner errored, or only informational signals were seen). They do not count for or against the grade.
- Endpoint ExposureNot assessed in this scan
- API SecurityNot assessed in this scan
- Cloud / Hosting HygieneNot assessed in this scan
- CDN / WAF PostureNot assessed in this scan
- Digital FootprintNot assessed in this scan
- Breach / Threat IntelligenceNot assessed in this scan
- Secure Development SignalsNot assessed in this scan
- Remediation ProgressNot assessed in this scan
OWASP Top 10 (2021) coverage
Open findings mapped against the OWASP Top 10 (2021) web application risk categories.
- A01 · Broken Access Control0
- A02 · Cryptographic Failures1
- A03 · Injection1
- A04 · Insecure Design0
- A05 · Security Misconfiguration3
- A06 · Vulnerable & Outdated Components0
- A07 · Identification & Authentication Failures0
- A08 · Software & Data Integrity Failures0
- A09 · Security Logging & Monitoring Failures0
- A10 · Server-Side Request Forgery0
Compliance mapping
Findings are mapped to CWE, OWASP, and CVSS, and rolled up against PCI DSS, ISO 27001, and SOC 2 controls — evidence you can hand straight to an auditor.
PCI DSS 4.0
- 6.4.14 open findings
- 2.2.13 open findings
- 6.2.41 open finding
- 4.2.11 open finding
- 3.5.11 open finding
ISO/IEC 27001 2022 (Annex A)
- A.8.93 open findings
- A.8.281 open finding
- A.8.241 open finding
SOC 2 Trust Services Criteria
- CC6.15 open findings
- CC7.14 open findings
- CC6.71 open finding
Cyber Essentials
- Secure configuration5 open findings
OWASP ASVS 4.0.3
- V143 open findings
- V51 open finding
- V61 open finding
- V91 open finding
Top findings by CVSS
- 7.4 · Reflected cross-site scripting in the site searchCWE-79
Top findings by business risk
The open issues with the greatest potential business impact, ordered by severity and recurrence.
- 1Reflected cross-site scripting in the site searchHighP1
An attacker can craft a link that, when opened by one of your logged-in users, runs code as that user — enabling session theft, defacement, or redirection to a phishing page. This is the kind of issue that fails a procurement security review outright.
Fix: Encode all user-supplied values on output using your template engine's escaping (in Blade, prefer {{ $value }} over {!! $value !!}). Add a Content-Security-Policy that disallows inline script as a second layer of defence.
Affected: https://your-site.com/search?q=
- 2TLS certificate expires within 14 daysMediumP2
If the certificate lapses, every visitor sees a full-page browser security warning and the site is effectively offline until it is renewed.
Fix: Renew the certificate and automate renewal (for example with certbot or your host's managed TLS) so it cannot lapse again.
Affected: https://your-site.com
- 3No Content-Security-Policy headerMediumP1
Without a CSP, a single injected script — from a compromised third-party tag or an XSS flaw — can run unchecked. A CSP is the control that contains the damage when something else goes wrong.
Fix: Add a Content-Security-Policy header. Start in report-only mode to find breakages, then enforce a policy that names your script origins explicitly and avoids unsafe-inline.
- 4No SPF record published for the domainMediumP2
Someone can send email that appears to come from your domain, and most receiving servers have no policy telling them otherwise — a common route into invoice fraud and phishing aimed at your customers.
Fix: Publish an SPF TXT record listing every authorised sending service, ending in a policy (~all while testing, -all once confirmed).
- 5No Strict-Transport-Security headerLowP3
A returning visitor who types the bare domain or follows an old http:// link is exposed to a downgrade attack on an untrusted network before HTTPS ever kicks in.
Fix: Send Strict-Transport-Security: max-age=31536000; includeSubDomains on every HTTPS response once you have confirmed all subdomains are HTTPS-only.
Key findings
- High
Reflected cross-site scripting in the site search
Encode all user-supplied values on output using your template engine's escaping (in Blade, prefer {{ $value }} over {!! $value !!}). Add a Content-Security-Policy that disallows inline script as a second layer of defence.
Priority roadmap
Open findings grouped by client-friendly priority (P1 = act now, P4 = informational).
P1 — Immediate security risk (2)
Encode all user-supplied values on output using your template engine's escaping (in Blade, prefer {{ $value }} over {!! $value !!}). Add a Content-Security-Policy that disallows inline script as a second layer of defence.
Add a Content-Security-Policy header. Start in report-only mode to find breakages, then enforce a policy that names your script origins explicitly and avoids unsafe-inline.
P2 — Important hardening (2)
Renew the certificate and automate renewal (for example with certbot or your host's managed TLS) so it cannot lapse again.
Publish an SPF TXT record listing every authorised sending service, ending in a policy (~all while testing, -all once confirmed).
P3 — Best-practice improvement (1)
Send Strict-Transport-Security: max-age=31536000; includeSubDomains on every HTTPS response once you have confirmed all subdomains are HTTPS-only.
Remediation roadmap
Quick wins
- TLS certificate expires within 14 days
- No Content-Security-Policy header
- No SPF record published for the domain
- No Strict-Transport-Security header
Longer-term
- Reflected cross-site scripting in the site search
- Apply HTTP security headers globally (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) at the web server or edge.
- Implement SPF, DKIM and DMARC for the domain to prevent email spoofing.
- Set up recurring scans with retest comparison so regressions are caught and progress is tracked over time.
Findings (5 of 5)
Findings overview
| Issue | Severity | Priority | Owner |
|---|---|---|---|
| Reflected cross-site scripting in the site search | High | P1 | Developer |
| No Strict-Transport-Security header | Low | P3 | Developer / server admin |
| TLS certificate expires within 14 days | Medium | P2 | Server / hosting admin |
| No Content-Security-Policy header | Medium | P1 | Developer / server admin |
| No SPF record published for the domain | Medium | P2 | DNS / email admin |
Active Vulnerabilities
Exploitable exposures — remediate the open ones first.
P1Responsible: DeveloperConfirmedAffects score
Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.
The search page reflects the q parameter into the HTML response without encoding it, so a crafted link can execute script in a visitor's browser in the context of your site.
- Business impact
- An attacker can craft a link that, when opened by one of your logged-in users, runs code as that user — enabling session theft, defacement, or redirection to a phishing page. This is the kind of issue that fails a procurement security review outright.
- Technical risk
- The parameter is echoed into the response body without HTML entity encoding. The injected payload executes with the origin's privileges, giving access to cookies not marked HttpOnly and to any authenticated API the page can call.
- How to fix
- Encode all user-supplied values on output using your template engine's escaping (in Blade, prefer {{ $value }} over {!! $value !!}). Add a Content-Security-Policy that disallows inline script as a second layer of defence.
- How to verify
- Request /search?q=<script>alert(1)</script> and confirm the payload is rendered as text rather than executed, and that the response carries a restrictive Content-Security-Policy.
Affected: https://your-site.com/search?q=
Hardening Opportunities
Defence-in-depth improvements — not active vulnerabilities.
P3Responsible: Developer / server adminConfirmedAffects score
Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.
The site does not send a Strict-Transport-Security header, so browsers do not remember to use HTTPS-only on a visitor's next visit.
- Business impact
- A returning visitor who types the bare domain or follows an old http:// link is exposed to a downgrade attack on an untrusted network before HTTPS ever kicks in.
- Technical risk
- Without HSTS a network attacker can strip HTTPS on the first request of a session, intercepting traffic before any redirect to HTTPS occurs.
- How to fix
- Send Strict-Transport-Security: max-age=31536000; includeSubDomains on every HTTPS response once you have confirmed all subdomains are HTTPS-only.
- How to verify
- Fetch the site over HTTPS and confirm the Strict-Transport-Security header is present with max-age of at least 31536000.
P2Responsible: Server / hosting adminConfirmedAffects score
Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.
The certificate presented by the site expires within 14 days.
- Business impact
- If the certificate lapses, every visitor sees a full-page browser security warning and the site is effectively offline until it is renewed.
- Technical risk
- An expired leaf certificate fails validation in all major browsers and in most API clients.
- How to fix
- Renew the certificate and automate renewal (for example with certbot or your host's managed TLS) so it cannot lapse again.
- How to verify
- Re-run the scan after renewal and confirm the certificate expiry is more than 14 days out.
Affected: https://your-site.com
P1Responsible: Developer / server adminConfirmedAffects score
Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.
The site does not send a Content-Security-Policy header, so the browser has no instruction limiting where scripts may be loaded from.
- Business impact
- Without a CSP, a single injected script — from a compromised third-party tag or an XSS flaw — can run unchecked. A CSP is the control that contains the damage when something else goes wrong.
- Technical risk
- No restriction on script-src, so any injected or third-party script executes with full origin privileges.
- How to fix
- Add a Content-Security-Policy header. Start in report-only mode to find breakages, then enforce a policy that names your script origins explicitly and avoids unsafe-inline.
- How to verify
- Request any page and confirm a Content-Security-Policy response header is present and does not contain unsafe-inline in script-src.
AI-suggested fix
Add a Content-Security-Policy header, starting in report-only mode so you can find what breaks before you enforce it.
Suggested change nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'; base-uri 'self'" always;Steps
1. Deploy the policy as Content-Security-Policy-Report-Only first. 2. Watch the browser console (and any report-uri endpoint) for a week to catch legitimate script origins you have missed. 3. Add those origins to script-src explicitly — avoid 'unsafe-inline'. 4. Switch the header to Content-Security-Policy to enforce it.
Validation
Reload the site and confirm the Content-Security-Policy header is present and that no console errors report blocked legitimate resources.
AI-assisted suggestion — review before applying.
P2Responsible: DNS / email adminConfirmedAffects score
Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.
The domain has no SPF record, so mail receivers cannot verify which servers are authorised to send mail on its behalf.
- Business impact
- Someone can send email that appears to come from your domain, and most receiving servers have no policy telling them otherwise — a common route into invoice fraud and phishing aimed at your customers.
- Technical risk
- Without an SPF TXT record, receivers fall back to their own default handling of unauthenticated senders, which is inconsistent and frequently permissive.
- How to fix
- Publish an SPF TXT record listing every authorised sending service, ending in a policy (~all while testing, -all once confirmed).
- How to verify
- Query the domain's TXT records and confirm an SPF record (v=spf1 ...) is present.
Known advisories & end-of-life components
Known security advisories (CVE / GHSA, including CISA Known-Exploited) and end-of-life components detected on your-site.com. These feed the overall grade.
Library Health AI · advisory
Your stack is broadly current. One package is no longer maintained and should be replaced, and two are far enough behind that upgrading them now will be easier than upgrading them later.
- laravel/framework 11.9.2healthy
Actively maintained and close to the latest release.
No action needed.
- moment 2.29.4deprecated
Moment.js is in maintenance mode and its maintainers recommend migrating away.
Replace with date-fns, Day.js or the native Intl APIs.
- request 2.88.2abandoned
Deprecated since 2020 and no longer receiving security fixes.
Replace with the native fetch API or undici.
- guzzlehttp/guzzle 7.4.1outdated
Several minor versions behind; later releases include security fixes.
Upgrade to the latest 7.x release.
Advisory only — not part of the grade. Informed by live Packagist/npm registry data at analysis time.
What we checked
Authn
The Authn module ran 1 check: 1 skipped. It scored 18/100. No failures were found.
Exposure
The Exposure module ran 4 checks: 4 passed. It scored 100/100. No failures were found.
Headers
The Headers module ran 8 checks: 6 passed, 2 failed. It scored 70/100. 2 checks failed and need attention.
Infrastructure
The Infrastructure module ran 5 checks: 4 passed, 1 failed. 1 check failed and need attention.
Tls
The Tls module ran 7 checks: 6 passed, 1 failed. It scored 43/100. 1 check failed and need attention.
Web App
The Web App module ran 4 checks: 3 passed, 1 failed. It scored 18/100. 1 check failed and need attention.
Test results
23 passed · 5 failed · 0 warning · 29 total
authn
| No web-login credentials configured for authenticated testing | skipped |
exposure
| .env environment file not exposed | passed |
| .git/config not exposed | passed |
| backup archive not exposed | passed |
| No directory listing at / | passed |
headers
| Content-Security-Policy missing | failed |
| HSTS (Strict-Transport-Security) missing | failed |
| A cookie is missing the Secure flag | passed |
| Cookies use HttpOnly | passed |
| Permissions-Policy present | passed |
| Referrer-Policy present | passed |
| X-Content-Type-Options present | passed |
| X-Frame-Options missing | passed |
infrastructure
| No SPF record | failed |
| 1 A record(s) found | passed |
| DKIM record present (selector: default) | passed |
| DMARC record present | passed |
| Server header discloses version | passed |
tls
| TLS certificate expires within 14 days | failed |
| Certificate chain and TLS robustness checks passed | passed |
| Certificate covers your-site.com | passed |
| No weak TLS ciphers detected | passed |
| TLS 1.0 is disabled | passed |
| TLS certificate not expired for your-site.com | passed |
| TLS certificate present for your-site.com | passed |
web_app
| Cross Site Scripting (Reflected) | failed |
| 2 third-party ad/analytics script source(s) present in the served HTML | passed |
| CORS policy is restrictive or absent | passed |
| No mixed (http://) subresources on the HTTPS page | passed |
Evidence
Reflected cross-site scripting in the site search (dast.xss)
Reflected payload in the search response
GET /search?q=%3Cb%3Ewarden%3C%2Fb%3E HTTP/1.1 Host: your-site.com <p>No results for <b>warden</b></p>
No Content-Security-Policy header (headers.csp)
Response headers with no Content-Security-Policy
HTTP/1.1 200 OK strict-transport-security: max-age=2592000 x-content-type-options: nosniff
Scan confidence
High(100/100)
Coverage notes — these don't reduce confidence
- Authenticated areas weren't tested — add login or API credentials in your domain settings to unlock these checks.
Scan depth & coverage
Depth: Deep Scan (active)
Warden performs automated, black-box security testing from the outside — it does not have access to the application's source code. Whole classes of issues therefore cannot be exhaustively detected, including business-logic and authorization flaws, many stored/second-order and blind injection paths, vulnerabilities reachable only behind authentication or specific application state, and design-level weaknesses. Absence of findings is not proof that a site is free of vulnerabilities.
A Deep Scan adds active probing (payload injection) but remains automated and black-box; it is not equivalent to a full manual penetration test with source access and human analysis. For high-assurance needs, commission a source-assisted or manual review.
Severity guide
- Critical — A serious flaw that is likely being or could easily be exploited. Fix immediately.
- High — An important weakness that could lead to compromise. Fix as a priority.
- Medium — A weakness that increases risk and should be scheduled for remediation.
- Low — A minor issue or hardening opportunity with limited direct impact.
- Info — Informational only — context for review, not a vulnerability by itself.
