Example report

your-site.com

A sample Pro-plan report. Compliance mapping, AI Library Health and Deep Scan are included from Pro upwards — see what each plan includes.

your-site.com · Generated 1 Jul 2026 · v1

Domain registration expires 1 Dec 2026 · Example Registrar Inc.

This is a real sample for an imaginary site. Your own report is generated from a live scan of your domain — same sections, same detail.

D
60 / 100
Security health score
High Risk
Jump to

What limited this score

  • One or more open high-severity vulnerabilities (grade capped at 60)

What changed since last scan

0 new0 reopened2 fixed5 unchanged

Resolved since last scan

  • Low X-Content-Type-Options missing
  • Medium TLS 1.0 is enabled

Executive summary

This report covers the security assessment of your-site.com. It scored 60/100, grade D (High Risk). It found 0 critical and 1 high-severity finding(s) needing attention — starting with “Reflected cross-site scripting in the site search” (High). The score is unchanged since the previous scan.

Issues by severity

Select a severity to see those findings.

Category scores

8 of 16 categories assessed this scan.

Not assessed this scan

Warden could not score these areas this scan (checks were skipped, a scanner errored, or only informational signals were seen). They do not count for or against the grade.

  • Endpoint ExposureNot assessed in this scan
  • API SecurityNot assessed in this scan
  • Cloud / Hosting HygieneNot assessed in this scan
  • CDN / WAF PostureNot assessed in this scan
  • Digital FootprintNot assessed in this scan
  • Breach / Threat IntelligenceNot assessed in this scan
  • Secure Development SignalsNot assessed in this scan
  • Remediation ProgressNot assessed in this scan

OWASP Top 10 (2021) coverage

Open findings mapped against the OWASP Top 10 (2021) web application risk categories.

  • A01 · Broken Access Control0
  • A02 · Cryptographic Failures1
  • A03 · Injection1
  • A04 · Insecure Design0
  • A05 · Security Misconfiguration3
  • A06 · Vulnerable & Outdated Components0
  • A07 · Identification & Authentication Failures0
  • A08 · Software & Data Integrity Failures0
  • A09 · Security Logging & Monitoring Failures0
  • A10 · Server-Side Request Forgery0

Compliance mapping

Findings are mapped to CWE, OWASP, and CVSS, and rolled up against PCI DSS, ISO 27001, and SOC 2 controls — evidence you can hand straight to an auditor.

PCI DSS 4.0

  • 6.4.14 open findings
  • 2.2.13 open findings
  • 6.2.41 open finding
  • 4.2.11 open finding
  • 3.5.11 open finding

ISO/IEC 27001 2022 (Annex A)

  • A.8.93 open findings
  • A.8.281 open finding
  • A.8.241 open finding

SOC 2 Trust Services Criteria

  • CC6.15 open findings
  • CC7.14 open findings
  • CC6.71 open finding

Cyber Essentials

  • Secure configuration5 open findings

OWASP ASVS 4.0.3

  • V143 open findings
  • V51 open finding
  • V61 open finding
  • V91 open finding

Top findings by CVSS

  • 7.4 · Reflected cross-site scripting in the site searchCWE-79

Top findings by business risk

The open issues with the greatest potential business impact, ordered by severity and recurrence.

  1. 1
    Reflected cross-site scripting in the site searchHighP1

    An attacker can craft a link that, when opened by one of your logged-in users, runs code as that user — enabling session theft, defacement, or redirection to a phishing page. This is the kind of issue that fails a procurement security review outright.

    Fix: Encode all user-supplied values on output using your template engine's escaping (in Blade, prefer {{ $value }} over {!! $value !!}). Add a Content-Security-Policy that disallows inline script as a second layer of defence.

    Affected: https://your-site.com/search?q=

  2. 2
    TLS certificate expires within 14 daysMediumP2

    If the certificate lapses, every visitor sees a full-page browser security warning and the site is effectively offline until it is renewed.

    Fix: Renew the certificate and automate renewal (for example with certbot or your host's managed TLS) so it cannot lapse again.

    Affected: https://your-site.com

  3. 3
    No Content-Security-Policy headerMediumP1

    Without a CSP, a single injected script — from a compromised third-party tag or an XSS flaw — can run unchecked. A CSP is the control that contains the damage when something else goes wrong.

    Fix: Add a Content-Security-Policy header. Start in report-only mode to find breakages, then enforce a policy that names your script origins explicitly and avoids unsafe-inline.

  4. 4
    No SPF record published for the domainMediumP2

    Someone can send email that appears to come from your domain, and most receiving servers have no policy telling them otherwise — a common route into invoice fraud and phishing aimed at your customers.

    Fix: Publish an SPF TXT record listing every authorised sending service, ending in a policy (~all while testing, -all once confirmed).

  5. 5
    No Strict-Transport-Security headerLowP3

    A returning visitor who types the bare domain or follows an old http:// link is exposed to a downgrade attack on an untrusted network before HTTPS ever kicks in.

    Fix: Send Strict-Transport-Security: max-age=31536000; includeSubDomains on every HTTPS response once you have confirmed all subdomains are HTTPS-only.

Key findings

  • High

    Reflected cross-site scripting in the site search

    Encode all user-supplied values on output using your template engine's escaping (in Blade, prefer {{ $value }} over {!! $value !!}). Add a Content-Security-Policy that disallows inline script as a second layer of defence.

Priority roadmap

Open findings grouped by client-friendly priority (P1 = act now, P4 = informational).

P1 — Immediate security risk (2)

Reflected cross-site scripting in the site searchHigh
Responsible: DeveloperAffected: https://your-site.com/search?q=

Encode all user-supplied values on output using your template engine's escaping (in Blade, prefer {{ $value }} over {!! $value !!}). Add a Content-Security-Policy that disallows inline script as a second layer of defence.

No Content-Security-Policy headerMedium
Responsible: Developer / server admin

Add a Content-Security-Policy header. Start in report-only mode to find breakages, then enforce a policy that names your script origins explicitly and avoids unsafe-inline.

P2 — Important hardening (2)

TLS certificate expires within 14 daysMedium
Responsible: Server / hosting adminAffected: https://your-site.com

Renew the certificate and automate renewal (for example with certbot or your host's managed TLS) so it cannot lapse again.

No SPF record published for the domainMedium
Responsible: DNS / email admin

Publish an SPF TXT record listing every authorised sending service, ending in a policy (~all while testing, -all once confirmed).

P3 — Best-practice improvement (1)

No Strict-Transport-Security headerLow
Responsible: Developer / server admin

Send Strict-Transport-Security: max-age=31536000; includeSubDomains on every HTTPS response once you have confirmed all subdomains are HTTPS-only.

Remediation roadmap

Quick wins

  • TLS certificate expires within 14 days
  • No Content-Security-Policy header
  • No SPF record published for the domain
  • No Strict-Transport-Security header

Longer-term

  • Reflected cross-site scripting in the site search
  • Apply HTTP security headers globally (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) at the web server or edge.
  • Implement SPF, DKIM and DMARC for the domain to prevent email spoofing.
  • Set up recurring scans with retest comparison so regressions are caught and progress is tracked over time.

Findings (5 of 5)

Findings overview

IssueSeverityPriorityOwner
Reflected cross-site scripting in the site searchHighP1Developer
No Strict-Transport-Security headerLowP3Developer / server admin
TLS certificate expires within 14 daysMediumP2Server / hosting admin
No Content-Security-Policy headerMediumP1Developer / server admin
No SPF record published for the domainMediumP2DNS / email admin

Active Vulnerabilities

Exploitable exposures — remediate the open ones first.

CWE-79OWASP A03CVSS 7.4

P1Responsible: DeveloperConfirmedAffects score

Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.

The search page reflects the q parameter into the HTML response without encoding it, so a crafted link can execute script in a visitor's browser in the context of your site.

Business impact
An attacker can craft a link that, when opened by one of your logged-in users, runs code as that user — enabling session theft, defacement, or redirection to a phishing page. This is the kind of issue that fails a procurement security review outright.
Technical risk
The parameter is echoed into the response body without HTML entity encoding. The injected payload executes with the origin's privileges, giving access to cookies not marked HttpOnly and to any authenticated API the page can call.
How to fix
Encode all user-supplied values on output using your template engine's escaping (in Blade, prefer {{ $value }} over {!! $value !!}). Add a Content-Security-Policy that disallows inline script as a second layer of defence.
How to verify
Request /search?q=<script>alert(1)</script> and confirm the payload is rendered as text rather than executed, and that the response carries a restrictive Content-Security-Policy.

Affected: https://your-site.com/search?q=

Hardening Opportunities

Defence-in-depth improvements — not active vulnerabilities.

OWASP A05

P3Responsible: Developer / server adminConfirmedAffects score

Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.

The site does not send a Strict-Transport-Security header, so browsers do not remember to use HTTPS-only on a visitor's next visit.

Business impact
A returning visitor who types the bare domain or follows an old http:// link is exposed to a downgrade attack on an untrusted network before HTTPS ever kicks in.
Technical risk
Without HSTS a network attacker can strip HTTPS on the first request of a session, intercepting traffic before any redirect to HTTPS occurs.
How to fix
Send Strict-Transport-Security: max-age=31536000; includeSubDomains on every HTTPS response once you have confirmed all subdomains are HTTPS-only.
How to verify
Fetch the site over HTTPS and confirm the Strict-Transport-Security header is present with max-age of at least 31536000.
CWE-324OWASP A02

P2Responsible: Server / hosting adminConfirmedAffects score

Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.

The certificate presented by the site expires within 14 days.

Business impact
If the certificate lapses, every visitor sees a full-page browser security warning and the site is effectively offline until it is renewed.
Technical risk
An expired leaf certificate fails validation in all major browsers and in most API clients.
How to fix
Renew the certificate and automate renewal (for example with certbot or your host's managed TLS) so it cannot lapse again.
How to verify
Re-run the scan after renewal and confirm the certificate expiry is more than 14 days out.

Affected: https://your-site.com

CWE-693OWASP A05

P1Responsible: Developer / server adminConfirmedAffects score

Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.

The site does not send a Content-Security-Policy header, so the browser has no instruction limiting where scripts may be loaded from.

Business impact
Without a CSP, a single injected script — from a compromised third-party tag or an XSS flaw — can run unchecked. A CSP is the control that contains the damage when something else goes wrong.
Technical risk
No restriction on script-src, so any injected or third-party script executes with full origin privileges.
How to fix
Add a Content-Security-Policy header. Start in report-only mode to find breakages, then enforce a policy that names your script origins explicitly and avoids unsafe-inline.
How to verify
Request any page and confirm a Content-Security-Policy response header is present and does not contain unsafe-inline in script-src.

AI-suggested fix

Add a Content-Security-Policy header, starting in report-only mode so you can find what breaks before you enforce it.

Suggested change nginx

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'; base-uri 'self'" always;

Steps

1. Deploy the policy as Content-Security-Policy-Report-Only first. 2. Watch the browser console (and any report-uri endpoint) for a week to catch legitimate script origins you have missed. 3. Add those origins to script-src explicitly — avoid 'unsafe-inline'. 4. Switch the header to Content-Security-Policy to enforce it.

Validation

Reload the site and confirm the Content-Security-Policy header is present and that no console errors report blocked legitimate resources.

AI-assisted suggestion — review before applying.

OWASP A05

P2Responsible: DNS / email adminConfirmedAffects score

Available in your account — mark issues fixed, accept a risk, or ask the AI for a tailored fix.

The domain has no SPF record, so mail receivers cannot verify which servers are authorised to send mail on its behalf.

Business impact
Someone can send email that appears to come from your domain, and most receiving servers have no policy telling them otherwise — a common route into invoice fraud and phishing aimed at your customers.
Technical risk
Without an SPF TXT record, receivers fall back to their own default handling of unauthenticated senders, which is inconsistent and frequently permissive.
How to fix
Publish an SPF TXT record listing every authorised sending service, ending in a policy (~all while testing, -all once confirmed).
How to verify
Query the domain's TXT records and confirm an SPF record (v=spf1 ...) is present.

Known advisories & end-of-life components

Known security advisories (CVE / GHSA, including CISA Known-Exploited) and end-of-life components detected on your-site.com. These feed the overall grade.

Library Health AI · advisory

Your stack is broadly current. One package is no longer maintained and should be replaced, and two are far enough behind that upgrading them now will be easier than upgrading them later.

  • laravel/framework 11.9.2healthy

    Actively maintained and close to the latest release.

    No action needed.

  • moment 2.29.4deprecated

    Moment.js is in maintenance mode and its maintainers recommend migrating away.

    Replace with date-fns, Day.js or the native Intl APIs.

  • request 2.88.2abandoned

    Deprecated since 2020 and no longer receiving security fixes.

    Replace with the native fetch API or undici.

  • guzzlehttp/guzzle 7.4.1outdated

    Several minor versions behind; later releases include security fixes.

    Upgrade to the latest 7.x release.

Advisory only — not part of the grade. Informed by live Packagist/npm registry data at analysis time.

What we checked

Authn

The Authn module ran 1 check: 1 skipped. It scored 18/100. No failures were found.

Exposure

The Exposure module ran 4 checks: 4 passed. It scored 100/100. No failures were found.

Headers

The Headers module ran 8 checks: 6 passed, 2 failed. It scored 70/100. 2 checks failed and need attention.

Infrastructure

The Infrastructure module ran 5 checks: 4 passed, 1 failed. 1 check failed and need attention.

Tls

The Tls module ran 7 checks: 6 passed, 1 failed. It scored 43/100. 1 check failed and need attention.

Web App

The Web App module ran 4 checks: 3 passed, 1 failed. It scored 18/100. 1 check failed and need attention.

Test results

23 passed · 5 failed · 0 warning · 29 total

authn

No web-login credentials configured for authenticated testingskipped

exposure

.env environment file not exposedpassed
.git/config not exposedpassed
backup archive not exposedpassed
No directory listing at /passed

headers

Content-Security-Policy missingfailed
HSTS (Strict-Transport-Security) missingfailed
A cookie is missing the Secure flagpassed
Cookies use HttpOnlypassed
Permissions-Policy presentpassed
Referrer-Policy presentpassed
X-Content-Type-Options presentpassed
X-Frame-Options missingpassed

infrastructure

No SPF recordfailed
1 A record(s) foundpassed
DKIM record present (selector: default)passed
DMARC record presentpassed
Server header discloses versionpassed

tls

TLS certificate expires within 14 daysfailed
Certificate chain and TLS robustness checks passedpassed
Certificate covers your-site.compassed
No weak TLS ciphers detectedpassed
TLS 1.0 is disabledpassed
TLS certificate not expired for your-site.compassed
TLS certificate present for your-site.compassed

web_app

Cross Site Scripting (Reflected)failed
2 third-party ad/analytics script source(s) present in the served HTMLpassed
CORS policy is restrictive or absentpassed
No mixed (http://) subresources on the HTTPS pagepassed

Evidence

Reflected cross-site scripting in the site search (dast.xss)

Reflected payload in the search response

GET /search?q=%3Cb%3Ewarden%3C%2Fb%3E HTTP/1.1
Host: your-site.com

<p>No results for <b>warden</b></p>

No Content-Security-Policy header (headers.csp)

Response headers with no Content-Security-Policy

HTTP/1.1 200 OK
strict-transport-security: max-age=2592000
x-content-type-options: nosniff

Scan confidence

High(100/100)

Coverage notes — these don't reduce confidence

  • Authenticated areas weren't tested — add login or API credentials in your domain settings to unlock these checks.

Scan depth & coverage

Depth: Deep Scan (active)

Warden performs automated, black-box security testing from the outside — it does not have access to the application's source code. Whole classes of issues therefore cannot be exhaustively detected, including business-logic and authorization flaws, many stored/second-order and blind injection paths, vulnerabilities reachable only behind authentication or specific application state, and design-level weaknesses. Absence of findings is not proof that a site is free of vulnerabilities.

A Deep Scan adds active probing (payload injection) but remains automated and black-box; it is not equivalent to a full manual penetration test with source access and human analysis. For high-assurance needs, commission a source-assisted or manual review.

Severity guide

  • Critical — A serious flaw that is likely being or could easily be exploited. Fix immediately.
  • High — An important weakness that could lead to compromise. Fix as a priority.
  • Medium — A weakness that increases risk and should be scheduled for remediation.
  • Low — A minor issue or hardening opportunity with limited direct impact.
  • Info — Informational only — context for review, not a vulnerability by itself.
Run this scan on your own domain
Full scan engine on every plan · Cancel any time
Get started →