What we scan for

Every check HatTest runs, straight from our detection catalog — 155 finding classes across 17 categories, each mapped to the industry-standard OWASP taxonomy. We report what we find with evidence and a fix; we never claim a site is “secure.”

155checks 17categories
Leaked secrets & credentials 43
  • High
    Anthropic API key exposed

    An Anthropic API key (sk-ant-…) was found in client-visible code.

    A04:2025
  • High
    AWS access key + secret pair exposed

    An AWS access key id (AKIA…/ASIA…) was found alongside its 40-character secret access key in client-visible code — a complete, immediately-usable credential.

    A04:2025
  • High
    Azure Storage account key exposed

    An Azure Storage AccountKey= shared key was found in client-visible code.

    A04:2025
  • High
    Database connection string with embedded credentials exposed

    A database URL containing an inline user:password (Postgres/MySQL/MongoDB/Redis/AMQP) was found in client-visible code.

    A04:2025
  • High
    DigitalOcean token exposed

    A DigitalOcean personal access token (dop_v1_/doo_v1_/dor_v1_) was found in client-visible code.

    A04:2025
  • High
    Docker Hub access token exposed

    A Docker Hub access token (dckr_pat_…) was found in client-visible code.

    A04:2025
  • High
    Doppler service token exposed

    A Doppler token (dp.pt.… / dp.st.… …) was found in client-visible code.

    A04:2025
  • High
    Secret exposed in client code (high-entropy value on a secret-named variable)

    A high-entropy value assigned to a secret-named variable (e.g. SESSION_SECRET, JWT_SIGNING_KEY, api_secret, db_password, client_secret) was found in client-visible code — a credential regardless of provider prefix.

    A04:2025
  • High
    GitHub fine-grained PAT exposed

    A GitHub fine-grained personal access token (github_pat_…) was found in client-visible code.

    A04:2025
  • High
    GitHub token exposed

    A GitHub token (ghp_/gho_/ghu_/ghs_/ghr_) was found in client-visible code.

    A04:2025
  • High
    GitLab personal access token exposed

    A GitLab personal access token (glpat-…) was found in client-visible code.

    A04:2025
  • High
    Google OAuth client secret exposed

    A Google OAuth client secret (GOCSPX-…) was found in client-visible code.

    A04:2025
  • High
    Groq API key exposed

    A Groq API key (gsk_…) was found in client-visible code.

    A04:2025
  • High
    Hugging Face access token exposed

    A Hugging Face access token (hf_…) was found in client-visible code.

    A04:2025
  • High
    Linear API key exposed

    A Linear API key (lin_api_…) was found in client-visible code.

    A04:2025
  • High
    Mailchimp API key exposed

    A Mailchimp API key (<hex>-usN, corroborated by a nearby 'mailchimp' token) was found in client-visible code.

    A04:2025
  • High
    Mapbox secret token exposed

    A Mapbox secret token (sk.…) was found in client-visible code.

    A04:2025
  • High
    Netlify personal access token exposed

    A Netlify personal access token (nfp_…) was found in client-visible code.

    A04:2025
  • High
    New Relic API key exposed

    A New Relic API key (NRAK-…) was found in client-visible code.

    A04:2025
  • High
    OpenAI API key exposed

    An OpenAI API key (sk-…, incl. sk-proj-/sk-svcacct-) was found in client-visible code.

    A04:2025
  • High
    Perplexity API key exposed

    A Perplexity API key (pplx-…) was found in client-visible code.

    A04:2025
  • High
    PlanetScale database token exposed

    A PlanetScale password or service token (pscale_pw_… / pscale_tkn_…) was found in client-visible code.

    A04:2025
  • High
    Private key exposed (PEM key block)

    A PEM-encoded private key block (RSA/EC/DSA/OpenSSH/encrypted PKCS#8/PGP) was found in client-visible code.

    A04:2025
  • High
    PyPI upload token exposed

    A PyPI upload token (pypi-AgEIcHlwaS…) was found in client-visible code.

    A04:2025
  • High
    SendGrid API key exposed

    A SendGrid API key (SG.…) was found in client-visible code.

    A04:2025
  • High
    Shopify access token exposed

    A Shopify access token (shpat_/shpca_/shppa_/shpss_) was found in client-visible code.

    A04:2025
  • High
    Slack token exposed

    A Slack token (xoxb-/xoxp-/xoxa-/xoxr-/xoxs-/xoxe-/xapp-) was found in client-visible code.

    A04:2025
  • High
    Square access token exposed

    A Square access token (sq0atp-/sq0csp-) was found in client-visible code.

    A04:2025
  • High
    Stripe live secret key exposed

    A Stripe sk_live_ secret key was found in client-visible code.

    A04:2025
  • High
    Supabase secret key exposed (sb_secret_)

    A Supabase sb_secret_ secret key was found in client-visible code.

    A04:2025
  • High
    Supabase service_role key exposed

    A Supabase service_role JWT was found in client-visible code — this key bypasses Row-Level Security.

    A04:2025
  • Medium
    AWS access key id exposed

    An AWS access key id (AKIA…/ASIA…) was found in client-visible code, with no secret access key alongside it.

    A04:2025
  • Medium
    Figma personal access token exposed

    A Figma personal access token (figd_…) was found in client-visible code.

    A04:2025
  • Medium
    Mailgun API key exposed

    A Mailgun API key (key-…, corroborated by a nearby 'mailgun' token) was found in client-visible code.

    A04:2025
  • Medium
    npm token exposed

    An npm access token (npm_…) was found in client-visible code.

    A04:2025
  • Medium
    Postman API key exposed

    A Postman API key (PMAK-…) was found in client-visible code.

    A04:2025
  • Medium
    Slack incoming webhook URL exposed

    A Slack incoming-webhook URL (hooks.slack.com/services/…) was found in client-visible code.

    A04:2025
  • Medium
    Stripe restricted key exposed

    A Stripe rk_live_ restricted key was found in client-visible code.

    A04:2025
  • Medium
    Stripe test secret key exposed

    A Stripe sk_test_ test-mode secret key was found in client-visible code.

    A04:2025
  • Medium
    Stripe webhook signing secret exposed

    A Stripe whsec_ webhook signing secret was found in client-visible code.

    A04:2025
  • Medium
    Telegram bot token exposed

    A Telegram bot token (<id>:AA…) was found in client-visible code.

    A04:2025
  • Medium
    Twilio API key exposed

    A Twilio API key (SK…, corroborated by a nearby 'twilio' token) was found in client-visible code.

    A04:2025
  • Info
    Google/Firebase API key found

    A Google/Firebase browser API key (AIza…) was found in client-visible code. These are usually public by design and meant to be referrer/app-restricted.

    A04:2025
Access control 34
  • High
    Unauthenticated GraphQL access to sensitive data

    A schema-built query executed anonymously returned records containing sensitive-looking fields — the GraphQL analog of broken access control.

    A01:2025
  • High
    Authenticated user can read another user's object by ID (BOLA / IDOR)

    A logged-in test user could not list a table's rows, yet could fetch another user's specific object directly by its id — object-level authorization is missing (the classic BOLA / IDOR shape, on a table that often exposes no owner column).

    A01:2025
  • High
    Authenticated user can read another user's sensitive rows

    A logged-in test user that owns no rows in a table could still read another user's rows, and those rows carry sensitive data — access control is not scoped per user.

    A01:2025
  • High
    BaaS collection exposes sensitive data to anonymous reads

    A PocketBase/Appwrite collection returned records with sensitive-looking fields to an anonymous list request.

    A01:2025
  • High
    CouchDB allows anonymous database enumeration (admin party)

    An anonymous GET /_all_dbs succeeded — the CouchDB server has no admin configured ('admin party'), so every database is world-accessible.

    A01:2025
  • High
    CouchDB database exposes sensitive data to anonymous reads

    An anonymous read of a CouchDB database returned documents with sensitive-looking fields.

    A01:2025
  • High
    Elasticsearch/OpenSearch cluster allows anonymous index enumeration

    An anonymous GET /_cat/indices succeeded — the cluster is unauthenticated, so all indices are world-accessible.

    A01:2025
  • High
    Elasticsearch index exposes sensitive data to anonymous queries

    An anonymous _search of an index returned documents with sensitive-looking fields.

    A01:2025
  • High
    GraphQL backend exposes sensitive data to anonymous queries

    An anonymous (or public-API-key) GraphQL query returned records containing sensitive-looking fields.

    A01:2025
  • High
    Anonymous read exposes sensitive data

    An anonymous SELECT returned rows containing sensitive columns or sensitive values (PII, credentials, financial data).

    A01:2025
  • High
    Anonymous writes accepted (RLS does not block unauthenticated writes)

    An anonymous INSERT was accepted by the table's row-level-security policies.

    A01:2025
  • High
    Firestore collection is world-readable (open security rules)

    An anonymous read of a Firestore collection returned document data — the collection's `allow read` rule lets unauthenticated clients through.

    A01:2025
  • High
    Firebase Realtime Database is world-readable (open security rules)

    An anonymous read of the Realtime Database root succeeded — the database's .read rule allows unauthenticated access.

    A01:2025
  • High
    Firebase Storage bucket lists objects to anonymous users (open security rules)

    An anonymous list of the default Firebase Storage bucket returned object metadata — the Storage rules allow unauthenticated read/list.

    A01:2025
  • High
    Cloud bucket is world-listable and holds private-looking files

    An S3/GCS/Azure bucket allows anonymous listing, and the sampled object names match private-data patterns (backups, invoices, KYC, .env, …).

    A01:2025
  • High
    Supabase Storage bucket is world-listable and holds private-looking files

    A Supabase Storage bucket returns objects to an anonymous list request, and the sampled names match private-data patterns.

    A01:2025
  • Medium
    Likely unauthenticated access to sensitive data

    An anonymous GET of an API route returned sensitive-looking (PII-shaped) fields — the endpoint appears to serve private data without authentication.

    A01:2025
  • Medium
    Owner-less table readable across users (no per-user scoping — confirm intended)

    A table with no per-user ownership column returned a row readable by more than one user, so it has no per-user access scoping — and the rows carry sensitive data. Indistinguishable by structure alone from an intended public/shared table.

    A01:2025
  • Medium
    Authenticated user can read another user's rows (no sensitive columns — confirm intended)

    A logged-in test user that owns no rows in a table could read another user's rows, but no sensitive columns were detected — possibly a public feed by design.

    A01:2025
  • Medium
    Authenticated user can read other users' rows in a shared-looking table (confirm intended)

    A logged-in test user owns rows in a table AND can read rows owned by others — structurally identical to a legitimate shared/co-membership/public-profile table, so it cannot be confirmed a leak by data alone.

    A01:2025
  • Medium
    Authenticated user can write another user's row (writes not owner-scoped — confirm intended)

    A value-neutral update by a logged-in test user succeeded against another user's row — the write (UPDATE) policy is not scoped per owner.

    A01:2025
  • Medium
    Anonymous writes accepted on an intake table (confirm intended)

    An anonymous INSERT was accepted on a table that looks like an intake/submission form (contact, waitlist, feedback, signup).

    A01:2025
  • Medium
    Cloud bucket allows anonymous listing (contents not obviously public)

    An S3/GCS/Azure bucket allows anonymous listing; the objects are not recognizable public assets, so exposure is possible but unconfirmed.

    A01:2025
  • Medium
    Supabase Storage bucket list is anonymously readable

    An anonymous GET /storage/v1/bucket returns the project's bucket names — the storage bucket metadata is world-readable.

    A01:2025
  • Medium
    Supabase Storage bucket allows anonymous listing (contents not obviously public)

    A Supabase Storage bucket is anonymously listable; the objects are not recognizable public assets, so exposure is possible but unconfirmed.

    A01:2025
  • Low
    GraphQL introspection is enabled

    The backend's GraphQL endpoint answers an introspection query, exposing the full schema (types, fields, operations).

    A01:2025
  • Info
    BaaS collection is anonymously readable (no sensitive columns)

    A PocketBase/Appwrite collection returned records to an anonymous request, but no sensitive field patterns were seen — likely public-by-design.

    A01:2025
  • Info
    CouchDB database is anonymously readable (no sensitive columns)

    An anonymous read of a CouchDB database returned documents, but no sensitive field patterns — likely public-by-design.

    A01:2025
  • Info
    Elasticsearch index is anonymously queryable (no sensitive fields)

    An anonymous _search of an index returned documents, but no sensitive field patterns — likely a public search index.

    A01:2025
  • Info
    Table is anon-readable but holds no sensitive columns

    An anonymous SELECT returned rows, but no sensitive column or value patterns were detected — likely intentionally public.

    A01:2025
  • Info
    Supabase RPC (stored-procedure) surface referenced by the app

    The app's code calls Supabase RPC functions. A function defined SECURITY DEFINER runs with the definer's privileges and bypasses row-level security — an anon-callable one would be an RLS-bypass vector. This is presence-only: we detect the calls in the bundle but do NOT invoke the functions, so anon-callability and SECURITY DEFINER are unconfirmed.

    A01:2025
  • Info
    Cloud bucket allows anonymous listing (public assets)

    An S3/GCS/Azure bucket allows anonymous listing and its objects look like public CDN assets (images, css, js).

    A01:2025
  • Info
    Cloudflare R2 public bucket in use

    A public r2.dev URL is referenced — an R2 bucket exposed through Cloudflare's public-by-design dev endpoint.

    A01:2025
  • Info
    Supabase Storage bucket allows anonymous listing (public assets)

    A Supabase Storage bucket is anonymously listable and its objects look like public assets.

    A01:2025
Exposed files & artifacts 28
  • High
    Spring Boot actuator /env exposes configuration

    The Spring Boot actuator /env endpoint is public and dumps the app's property sources.

    A02:2025
  • High
    Spring Boot actuator heap dump downloadable

    The Spring Boot actuator /heapdump endpoint is public, serving a full JVM heap dump.

    A02:2025
  • High
    AWS credentials file publicly served

    An ~/.aws/credentials INI file exposing aws_access_key_id / aws_secret_access_key is downloadable.

    A02:2025
  • High
    Backup archive publicly served

    A ZIP archive (backup.zip / www.zip / public_html.zip) — confirmed by its archive magic bytes — is downloadable.

    A02:2025
  • High
    Plaintext credentials file publicly served

    A plaintext credentials file (~/.netrc or ~/.pgpass) is downloadable and returns real credential lines, not HTML.

    A02:2025
  • High
    Docker registry credentials publicly served

    A Docker CLI config (~/.docker/config.json) with an `auths` block is served publicly.

    A02:2025
  • High
    Environment file (.env) publicly served

    A .env-style environment file (any variant — .env, .env.production, .env.bak, …) is downloadable and returns real KEY=value lines, not an HTML page.

    A02:2025
  • High
    Kubernetes kubeconfig publicly served

    A kubeconfig (~/.kube/config) with cluster credentials is served publicly.

    A02:2025
  • High
    Private key file publicly served

    A PEM private key (e.g. .ssh/id_rsa, id_rsa) is downloadable.

    A02:2025
  • High
    Rails database.yml with credentials publicly served

    A Rails config/database.yml (or /database.yml) is served publicly and contains a literal database password.

    A02:2025
  • High
    Cloud service-account key file publicly served

    A GCP/Firebase service-account or OAuth credential file (serviceAccount.json, firebase-adminsdk.json, credentials.json) with a private_key is downloadable.

    A02:2025
  • High
    Deploy (SFTP) credentials publicly served

    A VS Code SFTP deploy config (.vscode/sftp.json) exposing a host plus a password or private-key path is downloadable.

    A02:2025
  • High
    SQL database dump publicly served

    A SQL dump (backup.sql / dump.sql / database.sql) with CREATE TABLE / INSERT statements is downloadable.

    A02:2025
  • High
    Terraform state publicly served

    A Terraform state file (terraform.tfstate) is downloadable.

    A02:2025
  • High
    WordPress config backup leaks DB credentials

    A wp-config.php backup (wp-config.php.bak/~/.save/.old) is served as raw source, exposing DB_PASSWORD and auth salts.

    A02:2025
  • Medium
    Spring Boot actuator endpoints exposed

    The Spring Boot actuator index is public, listing management endpoints (env, beans, mappings, …).

    A02:2025
  • Medium
    docker-compose file publicly served

    A docker-compose.yml/.yaml is served publicly, exposing service environment variables and topology.

    A02:2025
  • Medium
    .NET appsettings.json with secrets exposed

    A .NET appsettings.json carrying ConnectionStrings or other secrets is served publicly.

    A02:2025
  • Medium
    Git repository metadata exposed (.git)

    Git internals (.git/config, .git/HEAD, or .git/logs/HEAD) are served publicly.

    A02:2025
  • Medium
    Laravel log file publicly served

    The Laravel application log (storage/logs/laravel.log) is served publicly.

    A02:2025
  • Medium
    .npmrc auth token publicly served

    An .npmrc (or similar registry config) containing a _authToken / _auth / _password is downloadable.

    A02:2025
  • Medium
    phpinfo() output publicly served

    A phpinfo() page is publicly reachable (e.g. /phpinfo.php).

    A02:2025
  • Medium
    Config file with sensitive keys exposed

    A JSON config file (e.g. config.json) served publicly contains sensitive-looking keys (api_key, secret, password, token).

    A02:2025
  • Medium
    Apache server-status publicly served

    The Apache mod_status page (/server-status) is publicly reachable.

    A02:2025
  • Medium
    WordPress debug.log publicly served

    The WordPress /wp-content/debug.log is served publicly, exposing PHP errors and stack traces.

    A02:2025
  • Low
    .DS_Store index exposed

    A macOS .DS_Store file is served publicly; it discloses the names of other files in the directory.

    A02:2025
  • Low
    WordPress usernames enumerable via REST API

    The WordPress /wp-json/wp/v2/users endpoint returns the site's usernames.

    A02:2025
  • Low
    WordPress XML-RPC enabled

    The WordPress /xmlrpc.php endpoint is enabled and responding.

    A02:2025
TLS certificates 7
  • High
    TLS certificate has expired

    The certificate the site serves for HTTPS is past its expiry date.

    A04:2025
  • High
    TLS certificate is not yet valid

    The served certificate's start (not-before) date is in the future, so it isn't valid yet.

    A04:2025
  • Medium
    TLS certificate is expiring soon

    The served certificate is valid now but expires within the next 30 days.

    A04:2025
  • Medium
    TLS certificate does not match the hostname

    The served certificate's subject/SAN names do not cover the hostname being visited.

    A04:2025
  • Medium
    TLS certificate is self-signed / not from a trusted CA

    The certificate is self-issued (issuer equals subject), so it does not chain to a publicly trusted certificate authority.

    A04:2025
  • Medium
    TLS certificate uses a weak (short) RSA key

    The served certificate's RSA public key is smaller than the 2048-bit minimum.

    A04:2025
  • Medium
    TLS certificate uses a weak signature algorithm

    The served leaf certificate is signed with a collision-broken hash (SHA-1, MD5, or MD2).

    A04:2025
Email authentication (SPF/DMARC) 7
  • Info
    No DMARC record — spoofed mail is not rejected

    The domain publishes no DMARC (_dmarc, v=DMARC1) policy, so mailbox providers have no instruction to quarantine or reject failing mail.

    A02:2025
  • Info
    DMARC does not protect this subdomain

    This subdomain has no DMARC record of its own, and the organizational domain's policy does not enforce on subdomains (sp=none, or no sp= tag with p=none) — so mail spoofing this subdomain is not rejected.

    A02:2025
  • Info
    DMARC policy not enforced (p=none)

    The DMARC record uses p=none (monitor-only) or omits the required p= tag, so failing mail is still delivered.

    A02:2025
  • Info
    No SPF record — sender spoofing is unrestricted

    The domain publishes no SPF (v=spf1) TXT record, so receivers have no authorized-sender policy to check.

    A02:2025
  • Info
    Multiple SPF records — policy is undefined

    The domain publishes more than one v=spf1 record; per RFC 7208 this is a permerror and SPF may be ignored entirely.

    A02:2025
  • Info
    SPF is neutral (?all) — no enforcement

    The SPF record ends in "?all" (neutral): it expresses no pass/fail policy.

    A02:2025
  • Info
    SPF authorizes any sender (+all)

    The SPF record ends in "+all", which explicitly authorizes every host on the internet to send as this domain.

    A02:2025
Cross-origin (CORS) 6
  • Medium
    CORS allows the `null` origin with credentials

    The server returns Access-Control-Allow-Origin: null together with Access-Control-Allow-Credentials: true.

    A02:2025
  • Medium
    CORS reflects arbitrary origins with credentials

    The server echoes any request Origin back in Access-Control-Allow-Origin together with Access-Control-Allow-Credentials: true.

    A02:2025
  • Medium
    CORS allows any origin with credentials

    Access-Control-Allow-Origin: * is sent together with Access-Control-Allow-Credentials: true.

    A02:2025
  • Info
    CORS allows the `null` origin (no credentials)

    The server returns Access-Control-Allow-Origin: null, but without credentials.

    A02:2025
  • Info
    CORS reflects arbitrary origins (no credentials)

    The server echoes any request Origin back in Access-Control-Allow-Origin, but without credentials.

    A02:2025
  • Info
    CORS allows any origin (no credentials)

    Access-Control-Allow-Origin: * without credentials — common and low-risk for public data.

    A02:2025
Software supply chain 6
  • Medium
    WordPress core is significantly outdated

    The detected WordPress core version is on a branch several releases behind the current line, so it is missing the accumulated security fixes WordPress backports to maintained branches.

    A03:2025
  • Medium
    WordPress plugin with a known vulnerability

    A WordPress plugin was detected at a version below the patch for a known CVE (the version is inferred from the plugin's asset URL).

    A03:2025
  • Medium
    Outdated JavaScript library with known vulnerabilities

    A client-side JavaScript library is loaded at a version below the fix for one or more known CVEs (the version is observed in a script URL or the library's own version banner).

    A03:2025
  • Low
    WordPress plugin present — version could not be confirmed

    A WordPress plugin with a known CVE history was detected, but its version could not be read from the page assets — so vulnerability can't be confirmed or ruled out.

    A03:2025
  • Low
    Third-party subresource loaded without Subresource Integrity

    A cross-origin (third-party) subresource — a <script>, stylesheet, or module/preload — is loaded without a Subresource Integrity (SRI) hash, so the browser can't verify the file wasn't tampered with before running or applying it.

    A08:2025
  • Low
    Subresource Integrity present but not enforced (missing crossorigin)

    A cross-origin subresource carries an `integrity` hash but no `crossorigin` attribute. On a cross-origin resource the browser fetches in no-cors mode and gets an opaque response it cannot read, so the SRI hash is silently NOT enforced — the pin does not take effect.

    A08:2025
Information disclosure 5
  • Low
    GraphQL introspection is enabled

    The API's GraphQL endpoint answers an introspection query, exposing the full schema (queries, mutations, types).

    A02:2025
  • Low
    API specification is publicly exposed

    An OpenAPI/Swagger specification is served publicly, documenting every route and parameter of the API.

    A02:2025
  • Low
    Source map exposes original application source

    A JavaScript bundle references a publicly-served .map file whose sourcesContent reconstructs the original, un-minified source (comments, internal logic, endpoints).

    A02:2025
  • Info
    Server banner discloses version

    The Server response header includes a version number.

    A02:2025
  • Info
    Framework disclosed via X-Powered-By

    The X-Powered-By response header advertises the server framework (and sometimes its version).

    A02:2025
Authentication providers 4
  • Medium
    Cognito identity pool grants AWS credentials to anonymous clients

    An AWS Cognito identity pool allows unauthenticated access, so an anonymous request obtains temporary AWS credentials with no sign-in.

    A01:2025
  • Low
    Firebase authorized domains include a wildcard

    The Firebase project's authorizedDomains list contains a wildcard entry, widening the OAuth redirect surface.

    A07:2025
  • Info
    Clerk open registration is enabled

    The Clerk environment config (readable from the public Frontend API with the publishable key) shows sign-up mode is "public" — anyone can self-register.

    A07:2025
  • Info
    Firebase open registration is enabled

    The Firebase project config (readable with the public web API key) shows email/password sign-up is open to anyone.

    A07:2025
TLS ciphers 4
  • Medium
    Broken cipher suites accepted

    The server negotiated a genuinely broken cipher (RC4, EXPORT, or NULL) from a weak-only ClientHello.

    A04:2025
  • Medium
    Weak cipher negotiated when strong suites were offered

    Even when offered strong suites, the server chose a weak (non-AEAD) cipher.

    A04:2025
  • Low
    Legacy 3DES cipher accepted

    The server accepts the legacy 3DES (Triple-DES) cipher suite.

    A04:2025
  • Low
    No forward secrecy (static-RSA key exchange)

    The server negotiated a static-RSA key-exchange cipher even though modern ECDHE suites were offered, so sessions have no forward secrecy.

    A04:2025
Session cookies 3
  • Medium
    Session cookie missing HttpOnly

    A session-looking cookie is readable by JavaScript because it lacks the HttpOnly attribute.

    A02:2025
  • Medium
    Session cookie missing Secure

    A session-looking cookie is set without the Secure attribute on an HTTPS site.

    A04:2025
  • Low
    Session cookie missing SameSite

    A session-looking cookie has no SameSite attribute.

    A02:2025
AI & agent surface 2
  • Medium
    Client-visible MCP / AI-agent configuration

    AI-agent / Model Context Protocol wiring is reachable from the client (an mcpServers block, MCP SDK, or an MCP server reference).

    A02:2025
  • Info
    AI / LLM surface present

    A client-visible AI/LLM integration was detected — an LLM provider host called from the browser and/or an agent framework in the bundle.

    A02:2025
Content security policy 2
  • Low
    Content-Security-Policy present but weak

    A CSP exists but its script policy allows unsafe-inline, unsafe-eval, or a wildcard source.

    A02:2025
  • Info
    Standard hardening headers absent

    One or more defense-in-depth response headers (HSTS, CSP, X-Content-Type-Options, frame protection, Referrer-Policy) are missing.

    A02:2025
DNS & subdomain takeover 1
  • High
    Possible subdomain takeover (dangling DNS record)

    A DNS record (via CNAME) points at a hosting service resource (S3 bucket, GitHub Pages site, Heroku app, …) that is unclaimed — the service returned its distinctive 'unregistered' response.

    A02:2025
Error disclosure 1
  • Medium
    Server error / debug page exposed

    The site served a framework debug or stack-trace page instead of a generic error — leaking its framework and version, server file paths, and often source snippets, SQL, or configuration.

    A10:2025
TLS protocols 1
  • Low
    Deprecated TLS 1.0 / 1.1 still accepted

    The server still completes handshakes over TLS 1.0 and/or 1.1, which are formally deprecated.

    A04:2025
Transport security (HSTS) 1
  • Low
    HSTS max-age is very short or zero

    Strict-Transport-Security is set but with a max-age under a day (or 0).

    A04:2025

This list is generated from the same catalog that powers every report, so it always reflects what the scanner actually checks. New detections are added over time. How scanning works · Ask about a specific check.